~Toughbooktalk~ Rob - 630-300-8877

The largest Toughbook discussion site on the net!
It is currently Sat Nov 18, 2017 8:04 am

All times are UTC-06:00




Post new topic  Reply to topic  [ 15 posts ]  Go to page 1 2 Next
Author Message
PostPosted: Fri Dec 16, 2016 6:14 pm 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Contents
1 Abstract
1.1 Architecture
1.2 Hardware Support
1.3 Battery Life

2 Installation
2.1 BIOS Preparation
2.2 Qubes Installation
2.3 Upgrade Fedora 23 to 25
2.4 Make Terminals Useful
2.5 Make Xwindows Useful

3 Hardware Setup
3.1 WWAN
3.2 USB Keyboards and Mice
3.3 Touchscreen
3.4 Intel Audio
3.5 Brightness Control
3.6 USB Printer (optional)

4 Customization
4.1 Basic GUI and Power Settings
4.2 Inter-VM Copy&Paste
4.3 Sudo Confirm
4.4 Anti Evil Maid
4.5 Disable Intel ME/AMT by giving it a ME-cleaned Sleeping Pill
4.6 Customize fedora-25-dvm (optional)
4.7 Install Windows Tools (optional)
4.8 Basic Verification Steps

1 Abstract
The QUBES 3.2 Not Playing Well with CF-31 thread inspired me to play around with Qubes on my CF-191HC51FL.
You might want to throw an eye on to page two of the cf31 thread for a detailed overview of the concepts behind Qubes and educated guesses on its future development.

1.1 Architecture
Any two Qubes systems will probably differ a lot more than say any two Ubuntu systems ...
so I've concept-mapped my current setup for reference.
Attachment:
File comment: ConceptMap of current setup with sys-net, sys-usb and sys-whonix
qubes32cf19mk6-20171031ae.png
qubes32cf19mk6-20171031ae.png [ 178.74 KiB | Viewed 1143 times ]


1.2 Hardware Support
[x] full support
[p] partial support/work in progress
[?] not tested

[x] Network
- [x] 1.000mbps ethernet
- [x] 100mbps VEB181-Dock ethernet
- [x] Wifi
- [x] WWAN Ericsson
- [?] Bluetooth
[p] User Experience
- [x] Touchpad
- [x] Keyboard
- [x] USB Mouse and Keyboard
- [x] Audio
- [x] Touchscreen
- [p] FrontButtons -- brightness
- [x] FunctionKeys -- brightness, audio, display
- [x] Suspend to RAM
- [x] Anti Evil Maid -- https://github.com/QubesOS/qubes-antiev ... aid/README
- [x] Intel ME/AMT can be cleaned with ME_Cleaner by using the internal programmer
[p] Ports
- [x] GPS
- [p] ALS ambient light sensor
- [x] USB
- [x] PCMCIA
- [?] Firwire
- [?] MMC
- [?] SD
- [x] USB printer -- optional

BTW: You might also be interested in Guide to OpenBSD 5.9 on Toughbook 19 mk6 and mk3,
if you want more details about my models hardware and/or like obscure and secure operating systems ;-)

1.3 Battery Life
Qubes heavily relies on Virtual Machines and has a baseline of five VMs (dom0,sys-usb,sys-net,sys-firewall,sys-whonix).
Translation: You already run five operating systems even before you start any of your own App-VMs.
You should expect 3:30 hours real-world battery life on the mk6.

I did three 20min idling-tests using wlan and 10% constant brightness on heavily optimized bios settings.
(everything disabled, cpu eco mode -- only enabled vt-*, wlan, wwan, gps, touchpad, ahci)
These are the averaged results, computed according to ( (N1time/N1bat*100) + (N2time/N2bat*100) ) / Ncount:
- 3:20hours -- thunderbird hogging 100% of 1 core
- 4:17hours -- just chatting
- 4:35hours -- just chatting, with powertop --auto-tune in dom0 and sys-net

cf19mk6 battery life comparison for light workloads:
9:00h = 100% Windows 7
6:30h = 72% OpenBSD 5.9
4:30h = 50% Qubes 3.2

2 Installation

2.1 BIOS Preparation
Enable features: VT-*, HT, TXE, TPM
Disable all devices that you are not going to use in order to reduce attack surface and battery drain.
In my case: Bluetooth, PCMCIA, Firewire, SD, MMC, LAN, Modem, Serial, GPS, USB*
*USB needs to be enabled during installation

2.2 Qubes Installation
create usb stick and boot from it
install: as you wish
select sys-net, sys-usb, sys-whonix on first boot
reboot, neccessary to detect networking hardware
# update system
Qubes Manager: fedora-23 => Update VM
Qubes Manager: debian-8 => Update VM
[user@dom0 ~]$ sudo qubes-dom0-update # might fail on first run
reboot

2.3 Upgrade Fedora 23 to 25
update fedora-23 (EOL) and switch template vms for all fedora-23 app vms to fedora-25
https://www.qubes-os.org/doc/template/f ... -24-to-25/

2.4 Make Terminals Useful
[user@dom0 ~}$ sudo qubes-dom0-update tmux htop iotop strace
[user@fedora-25 ~}$ sudo yum install tmux htop iotop strace
[user@debian-8 ~}$ sudo apt-get install tmux htop iotop strace perl-doc

2.5 Make Xwindows Useful
[user@fedora-25 ~}$ sudo yum install keepass keepassx # vault
[user@fedora-25 ~}$ sudo yum install mozilla-noscript mozilla-https-everywhere enigmail # mozilla
[user@debian-8 ~}$ sudo apt-get install firefox-esr xul-ext-noscript xul-ext-https-everywhere enigmail # mozilla
[user@debian-8 ~}$ sudo apt-get install vlc mplayer youtube-dl transmission-gtk audacity openscad freemind

3 Hardware

3.1 WWAN
[user@fedora-25 ~]$ sudo yum install ModemManager
[user@dom0 ~]$ crontab -e # WWAN is usb device and thus attaches to sys-usb by default ... we need to move it to sys-net
* * * * * /usr/bin/qvm-usb -a sys-net sys-usb:2-1.2

3.2 USB Keyboards and Mice
[user@dom0 ~]$ sudo vim /etc/qubes-rpc/policy/qubes.Input{Keyboard,Mouse}
# sys-usb dom0 allow
# $anyvm $anyvm deny
a reboot is required to use usb input devices

3.3 Touchscreen
Make sure your Touchscreen (pci 00:1d.0) is not assigned to sys-net/sys-usb and add this do user@dom0 crontab via "crontab -e":
@reboot /usr/bin/sudo /usr/bin/bash -lc 'sleep 3; export DISPLAY=:0.0; echo 0000:00:1d.0 > /sys/bus/pci/drivers/pciback/unbind; sleep 1; echo 0000:00:1d.0 > /sys/bus/pci/drivers/ehci-pci/bind; sleep 1; /usr/bin/xinput set-int-prop "Fujitsu Component USB Touch Panel" "Evdev Axis Calibration" 32 918 15776 637 14913'
You can use xinput_calibrator to generate your own numbers via "sudo qubes-dom0-udate xinput_calibator; xinput_calibator".

3.4 Intel Audio
[user@dom0 ~]$ sudo alsactl init # use @reboot crontab and/or write init skript("systembleh unit file")

3.5 Brightness Control
[user@dom0 ~]$ sudo qubes-dom0-update xbacklight
[user@dom0 ~]$ xbacklight -inc 20 # test
# add "acpi_backlight=Linux acpi_osi=" to end of "GRUB_CMDLINE_LINUX", if xbacklight test fails (my case)
[user@dom0 ~]$ sudo vim /etc/default/grub
[user@dom0 ~]$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
[user@dom0 ~]$ sudo reboot
[user@dom0 ~]$ xbacklight -inc 20 # should work now, also via function keys and front buttons

3.6 USB Printer (optional)
[user@dom0 ~]$ qvm-start fedora-25 # start fedora template vm
[user@dom0 ~]$ qvm-usb -l # identify printer id, e.g. sys-usb:2-1.4.4.2
[user@dom0 ~]$ qvm-usb -a fedora-25 sys-usb:2-1.4.4.2 # assign printer to fedora template vm
[user@dom0 ~]$ qvm-service sys-usb -e cups # enable printing service on net/usb vm
[user@fedora-25 ~]$ sudo yum install system-config-printer
[user@fedora-25 ~]$ DRIVER=mccgdi-2.0.8-x86_64; wget http://cs.psn-web.net/support/fax/commo ... VER.tar.gz && tar xzf $DRIVER.tar.gz && cd $DRIVER && sudo ./install-driver # optional driver installation step ... for KX-MB2515 in this case
[user@fedora-25 ~]$ system-config-printer # add printer and print a test page
power off fedora-25, reboot and see if sys-usb can print


4 Customization

4.1 Basic GUI and Power Settings
Qubes Menu: System Tools => XFCE Settings:
- microdeck window theme
- panel 20px height
- misc power saving settings
[user@dom0 ~]$ crontab -e
@reboot sudo xenpem set-scaling-governor ondemand
@reboot sudo powertop --auto-tune

4.2 Inter-VM Copy&Paste
# enable inter-vm copy&paste via "Mod4-c" and "Mod4-v" so you can copy&paste while you copy&paste
# srcVm: ctrl-c, win-c -- dstVm: win-v, ctrl-v
[user@dom0 ~]$ sudo vim /etc/qubes/guid.conf

4.3 Sudo Confirm
# enable confirm-dialog for sudo in vms ... to help mitigate exploitation attempts, e.g. vm-breakouts targeting Xen or APTs for user-disk MBR
# i leave passwordless sudo enabled on dom0 for now ... who owns the desktop owns the system/data anyway ...
# agressive screenlock policy recommended, see also https://www.qubes-os.org/doc/vm-sudo/

[user@dom0 ~]$ sudo bash -lc '
echo "/usr/bin/echo 1" > /etc/qubes-rpc/qubes.VMAuth &&
echo "\$anyvm dom0 ask" > /etc/qubes-rpc/policy/qubes.VMAuth'
[user@dom0 ~]$ sudo reboot

[root@fedora-25 ~] vim /etc/pam.d/system-auth # replace the three ^auth lines with this one:
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /usr/bin/grep -q ^1$
[root@fedora-25 ~] vim /etc/sudoers.d/qubes # remove NOPASSWD: keywordfrom user line
[root@fedora-25 ~] rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
[root@fedora-25 ~] rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
[user@fedora-25 ~] sudo ls # test sudo feature BEFORE closing the root shell ...

[root@debian-8 ~] vim /etc/pam.d/common-auth # content with
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
[root@debian-8 ~] vim /etc/sudoers.d/qubes # remove NOPASSWD: keywordfrom user line
[root@debian-8 ~] rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
[root@debian-8 ~] rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
[root@debian-8 ~] vim /etc/pam.d/su # comment out the "auth sufficient pam_permit.so" line
[user@debian-8 ~] sudo ls # test sudo feature BEFORE closing the root shell ...

4.4 Anti Evil Maid
I've choosen to rely on /dev/sda1 for AEM installation, using a SRK secret,
as I really do not wish to enable USB ports due to stuff like BadUSB and the more recent Skylake USB Debug interface.

https://github.com/QubesOS/qubes-antiev ... aid/README
Took me like 20 reboots to get it working.
Hint 1: It's 3rd-gen-i5-i7-sinit-67.zip for i5-3320m,
Hint 2: You also want to make sure that Bios->Advanced->CPU->TXT is enabled.
Hint 3: You need to re-enable TPM in Bios->Security->TPM after using tpm_clear in dom0.
Hint 4: AFAICT, AEM requires the owner password to be zero-bytes, so only set SRK password.

Howto verify AEM works:
1) look for picture/text after entering srk password
2) switch some meaningful bios settings, e.g. toggle usb support on/off
3) look for ABSENCE of picture/text after entering srk password
4) change bios settigns back
5) look for picture/text after entering srk password

4.5 Disable Intel ME/AMT by giving it a ME-cleaned Sleeping Pill
I seem to have stumbled upon an alarmingly trivial race condition within Intel ME local firmware update,
that seems to allow bypassing the second (chip-based) image verification while also allowing to flash the read/write-protected ME region.
So, no need to take yout TB apart and fumble with an external programmer like in the old days.
(exploit this at your own risk and warranty, i am not responsible for your actions, i will not support your sorry ass)
See also: https://github.com/corna/me_cleaner/issues/64
Files for 19mk6-191... https://filebin.ca/3ZoqtxiQEx5m/ME.bin && https://filebin.ca/3ZorKoSiEbI2/MEREG-muchdisable.bin ... or bake your own

1) Update to BIOS V6.00L12, as the shipped BIOS V6.00L10 has "ME local firmware update" disabled. reboot.
2) Boot into BIOS and Reset AMT Config. reboot.
3) flash panasonic ME.bin. reboot.
Code:
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid  D6B09D64-DA23-49A9-8888-F663BE603389 -f "ME.bin"

4) Start flashing panasonic oem ME.bin
Code:
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid  D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "ME.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation.  All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification:  [ COMPLETE ]
FW Update:  [ 35% (Stage: 13 of 19) (-)]

5) HIBERNATE, after 2-3 seconds in Stage 13 last seen "50%" and Stage 14/19
6) RESUME, now see 0% ... and program hangs, so press ctrl-c
Code:
^C Update:  [ 0% (Stage: 0 of 19) (|)])]

7) Re-Start flashing with cleaned ME.bin. notice how it directly jumps to Stage 13 35%.
Code:
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid  D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "MEREG-muchdisable.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation.  All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification:  [ COMPLETE ]
FW Update:  [ 35% (Stage: 13 of 19) (-)]
FW Update:  [ 100% (Stage: 19 of 19) (-)]
FW Update is complete and a reboot will run the new FW.

8) reboot. lean back. smile -- unless bricked

results of ME disablement:
other oem strings @ panasonic pcinfo http://picpaste.com/diff-pcinfo.png
PRE-BOOT and other ME-Name @ meinfo http://picpaste.com/diff-meinfo.png
Recovery state and two wiped registers @ http://picpaste.com/diff-intelmetool.png
fwupdlcl -fwver shows version, but -save and -f just hang
memanuf reports some error
ctrl-p reports "FW Status Recovery Error" and then just boots

4.6 Customize fedora-25-dvm (optional)
https://www.qubes-os.org/doc/dispvm-customization/
highly recommended: firefox->about:config->reader.parse-on-load.enabled=false # gets rid of braindead "reader view" feature/nagscreen

4.7 Install Windows Tools (optional)
download iso for windows paravirtualization (xen pv drivers, seamless mode, app integration)
[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools
https://www.qubes-os.org/doc/windows-appvms/

I did a quick passmark perfomance test on a win7 within qubes.
the win7 vm has only two of four cores, just 6gb ram and i didnt even bother to install xen pv block drivers for speedy storage access.
the results are still pretty good, especially when compared to a cf19mk3 ;-)
Attachment:
cf19mk6qubes-win7-passmark8.png
cf19mk6qubes-win7-passmark8.png [ 32.22 KiB | Viewed 1126 times ]


4.8 Basic Verification Steps
Make sure your settings work as intended ... e.g. I initially forgot to re-setup sudoers confirmation after upgrading from fedora23 to fedora25
This would also be the ideal point in time for running some hardening tools like lynis...
Attachment:
File comment: excel-ified results of lynis -c -Q on some VMs
intended to inspire further hardening

lynis-qubes32-afterguide.png
lynis-qubes32-afterguide.png [ 124.51 KiB | Viewed 1117 times ]


Last edited by Karl Klammer on Fri Nov 03, 2017 12:00 pm, edited 53 times in total.

Top
   
PostPosted: Fri Dec 16, 2016 7:34 pm 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
(merged with initial post)


Last edited by Karl Klammer on Fri Nov 03, 2017 4:04 am, edited 2 times in total.

Top
   
PostPosted: Sat Dec 17, 2016 8:15 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 647
Location: Canada
Interesting. Keep us updated on its stability and future developments on the remaining untested and partially supported components.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Tue Dec 20, 2016 6:05 pm 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
kode-niner wrote:
Interesting. Keep us updated on its stability and future developments on the remaining untested and partially supported components.


are you interested in any particular of the "not tested" ports?


hardware support is rather complete, only really lacking ALS and some of the front buttons.
xen seems to filter most of the powertop --auto-tune goodness (only 8%gain) ... i need to look into xenpm

no crashes so far, it seems to just work and does not get in my way
i had two experiences where mouse+keyboard didnt work on resume-from-ram.
the easy fix/workaround was to close and open the lid again ;-)


Top
   
PostPosted: Wed Dec 21, 2016 9:38 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 647
Location: Canada
Karl Klammer wrote:
are you interested in any particular of the "not tested" ports?


Not specifically. My interest is marginal and more for curiosity's sake. I've never had any problems sandboxing processes when I need to with standard distros. If Qubes becomes usable on a CF-31 - which I intend to buy eventually - for the tasks that I do, I might consider it.

For the meantime, I consider myself savvy enough to not get pwned without Qube's extraordinary security and nothing I do requires EAL (yet).

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Thu Jan 05, 2017 9:28 am 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Long-term stability update after a month:
- No serious issues so far.
- Touchpad/Keyboard sometimes do not work on resume. Close/Open lid fixes this.
- Touchpad acts erratically on constant high load, when the cpu core temp rises above 64C.
This is probably caused by some sys-usb timing issues in combination with some heat-related hardware design issues.
Closing the lid for 2 minutes fixes this.

I've submitted an entry to the Qubes HCL list and attached the qubes-hcl-report files to this post.


Attachments:
File comment: yaml
Qubes-HCL-Panasonic_Corporation-CF_191HC51FL-20170105-134247.yml.gz [648 Bytes]
Downloaded 13 times
File comment: cpio, anonymized
Qubes-HCL-Panasonic_Corporation-CF_191HC51FL-20170105-134247.cpio.gz [8.31 KiB]
Downloaded 11 times
Top
   
PostPosted: Thu Jan 05, 2017 10:03 am 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3539
Location: Montgomery, IL 60538
HOLY TOLEDO...

STICKED! :)

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 5/19/17 - CF-20A5001KM Win10, Intel Core m5-6Y57 1.1GHz, 128GB SSD, 8GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 4/1/15): CF-AX2LDJZEY/i5/128GB SSD/4GB/Win 8.1~
~Others: CF-52MLBBQ2M (Home Workstation), CF-H2ASFHG1M (Mounted Kitchen Security Cam Viewer), CF-H1CSLFZ1M (Mounted Master Bath Security Cam Viewer)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
PostPosted: Fri Jan 06, 2017 6:36 pm 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
:wtf: As of 2017-01-06, Toughbooks are the only laptops known to fulfill Qubes 4.0 system requirements. :headbang:
https://groups.google.com/forum/#!topic ... dTZ0zv2vX4

Robs Depot: where EAL5 meets MIL810G 8)
Sale: get 20% off on your hack- and water-resistant computing needs

@Rob: Use that for marketing, but hurry up, before someone with a flimsy Dell XFR submits a report :rofl:


EDIT 2017-01-08:
A second R3.2 HCL report appeared yesterday, for a Thinkpad that lacks AEM support.
So ... I've spent this morning fooling around with Qubes AEM feature, just to see if I could get that final HCL checkbox green ;-)
The attached journalctl file looks good to me, but I am not an expert on TPM.
BTW: I'm using nail polish as my actual, physical AEM solution... no code means no backdoors ;-)


Attachments:
journalctl_anti-evil-maid-unseal.txt [2.43 KiB]
Downloaded 21 times
Top
   
PostPosted: Wed Jun 28, 2017 3:16 pm 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Long-term stability update after 7 months

yeah, works just damn fine :boing:
the touchpad overheating issue can be a bit annoying when gaming on hot days. :confused:


Top
   
PostPosted: Thu Jun 29, 2017 10:46 am 
Offline
User avatar

Joined: Thu Oct 14, 2010 1:13 pm
Posts: 2176
Location: TDR-HQ California
What did you do with sound?

Way back when you were going to write a script.

_________________
Fair for you/ Fair for me.
I chose to NOT be organized.

-------------------------------------------------------------------[/color]
http://toughbooktalk.com/
http://forum.notebookreview.com/panasonic/


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 15 posts ]  Go to page 1 2 Next

All times are UTC-06:00


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited