1 Abstract
1.1 Architecture
1.2 Hardware Support
1.3 Battery Life
2 Installation
2.1 BIOS Preparation
2.2 Qubes Installation
2.3 Upgrade Fedora 23 to 25
2.4 Make Terminals Useful
2.5 Make Xwindows Useful
3 Hardware Setup
3.1 WWAN
3.2 USB Keyboards and Mice
3.3 Touchscreen
3.4 Intel Audio
3.5 Brightness Control
3.6 USB Printer (optional)
4 Customization
4.1 Basic GUI and Power Settings
4.2 Inter-VM Copy&Paste
4.3 Sudo Confirm
4.4 Anti Evil Maid
4.5 Disable Intel ME/AMT by giving it a ME-cleaned Sleeping Pill
4.6 Customize fedora-25-dvm (optional)
4.7 Install Windows Tools (optional)
4.8 Basic Verification Steps
1 Abstract
The QUBES 3.2 Not Playing Well with CF-31 thread inspired me to play around with Qubes on my CF-191HC51FL.
You might want to throw an eye on to page two of the cf31 thread for a detailed overview of the concepts behind Qubes and educated guesses on its future development.
1.1 Architecture
Any two Qubes systems will probably differ a lot more than say any two Ubuntu systems ...
so I've concept-mapped my current setup for reference.
- ConceptMap of current setup with sys-net, sys-usb and sys-whonix
- qubes32cf19mk6-20171031ae.png (178.74 KiB) Viewed 28361 times
[x] full support
[p] partial support/work in progress
[?] not tested
[x] Network
- [x] 1.000mbps ethernet
- [x] 100mbps VEB181-Dock ethernet
- [x] Wifi
- [x] WWAN Ericsson
- [?] Bluetooth
[p] User Experience
- [x] Touchpad
- [x] Keyboard
- [x] USB Mouse and Keyboard
- [x] Audio
- [x] Touchscreen
- [p] FrontButtons -- brightness
- [x] FunctionKeys -- brightness, audio, display
- [x] Suspend to RAM
- [x] Anti Evil Maid -- https://github.com/QubesOS/qubes-antiev ... aid/README
- [x] Intel ME/AMT can be cleaned with ME_Cleaner by using the internal programmer
[p] Ports
- [x] GPS
- [p] ALS ambient light sensor
- [x] USB
- [x] PCMCIA
- [?] Firwire
- [?] MMC
- [?] SD
- [x] USB printer -- optional
BTW: You might also be interested in Guide to OpenBSD 5.9 on Toughbook 19 mk6 and mk3,
if you want more details about my models hardware and/or like obscure and secure operating systems ;-)
1.3 Battery Life
Qubes heavily relies on Virtual Machines and has a baseline of five VMs (dom0,sys-usb,sys-net,sys-firewall,sys-whonix).
Translation: You already run five operating systems even before you start any of your own App-VMs.
You should expect 3:30 hours real-world battery life on the mk6.
I did three 20min idling-tests using wlan and 10% constant brightness on heavily optimized bios settings.
(everything disabled, cpu eco mode -- only enabled vt-*, wlan, wwan, gps, touchpad, ahci)
These are the averaged results, computed according to ( (N1time/N1bat*100) + (N2time/N2bat*100) ) / Ncount:
- 3:20hours -- thunderbird hogging 100% of 1 core
- 4:17hours -- just chatting
- 4:35hours -- just chatting, with powertop --auto-tune in dom0 and sys-net
cf19mk6 battery life comparison for light workloads:
9:00h = 100% Windows 7
6:30h = 72% OpenBSD 5.9
4:30h = 50% Qubes 3.2
2 Installation
2.1 BIOS Preparation
Enable features: VT-*, HT, TXE, TPM
Disable all devices that you are not going to use in order to reduce attack surface and battery drain.
In my case: Bluetooth, PCMCIA, Firewire, SD, MMC, LAN, Modem, Serial, GPS, USB*
*USB needs to be enabled during installation
2.2 Qubes Installation
create usb stick and boot from it
install: as you wish
select sys-net, sys-usb, sys-whonix on first boot
reboot, neccessary to detect networking hardware
# update system
Qubes Manager: fedora-23 => Update VM
Qubes Manager: debian-8 => Update VM
[user@dom0 ~]$ sudo qubes-dom0-update # might fail on first run
reboot
2.3 Upgrade Fedora 23 to 25
update fedora-23 (EOL) and switch template vms for all fedora-23 app vms to fedora-25
https://www.qubes-os.org/doc/template/f ... -24-to-25/
2.4 Make Terminals Useful
[user@dom0 ~}$ sudo qubes-dom0-update tmux htop iotop strace
[user@fedora-25 ~}$ sudo yum install tmux htop iotop strace
[user@debian-8 ~}$ sudo apt-get install tmux htop iotop strace perl-doc
2.5 Make Xwindows Useful
[user@fedora-25 ~}$ sudo yum install keepass keepassx # vault
[user@fedora-25 ~}$ sudo yum install mozilla-noscript mozilla-https-everywhere enigmail # mozilla
[user@debian-8 ~}$ sudo apt-get install firefox-esr xul-ext-noscript xul-ext-https-everywhere enigmail # mozilla
[user@debian-8 ~}$ sudo apt-get install vlc mplayer youtube-dl transmission-gtk audacity openscad freemind
3 Hardware
3.1 WWAN
[user@fedora-25 ~]$ sudo yum install ModemManager
[user@dom0 ~]$ crontab -e # WWAN is usb device and thus attaches to sys-usb by default ... we need to move it to sys-net
* * * * * /usr/bin/qvm-usb -a sys-net sys-usb:2-1.2
3.2 USB Keyboards and Mice
[user@dom0 ~]$ sudo vim /etc/qubes-rpc/policy/qubes.Input{Keyboard,Mouse}
# sys-usb dom0 allow
# $anyvm $anyvm deny
a reboot is required to use usb input devices
3.3 Touchscreen
Make sure your Touchscreen (pci 00:1d.0) is not assigned to sys-net/sys-usb and add this do user@dom0 crontab via "crontab -e":
@reboot /usr/bin/sudo /usr/bin/bash -lc 'sleep 3; export DISPLAY=:0.0; echo 0000:00:1d.0 > /sys/bus/pci/drivers/pciback/unbind; sleep 1; echo 0000:00:1d.0 > /sys/bus/pci/drivers/ehci-pci/bind; sleep 1; /usr/bin/xinput set-int-prop "Fujitsu Component USB Touch Panel" "Evdev Axis Calibration" 32 918 15776 637 14913'
You can use xinput_calibrator to generate your own numbers via "sudo qubes-dom0-udate xinput_calibator; xinput_calibator".
3.4 Intel Audio
[user@dom0 ~]$ sudo alsactl init # use @reboot crontab and/or write init skript("systembleh unit file")
3.5 Brightness Control
[user@dom0 ~]$ sudo qubes-dom0-update xbacklight
[user@dom0 ~]$ xbacklight -inc 20 # test
# add "acpi_backlight=Linux acpi_osi=" to end of "GRUB_CMDLINE_LINUX", if xbacklight test fails (my case)
[user@dom0 ~]$ sudo vim /etc/default/grub
[user@dom0 ~]$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
[user@dom0 ~]$ sudo reboot
[user@dom0 ~]$ xbacklight -inc 20 # should work now, also via function keys and front buttons
3.6 USB Printer (optional)
[user@dom0 ~]$ qvm-start fedora-25 # start fedora template vm
[user@dom0 ~]$ qvm-usb -l # identify printer id, e.g. sys-usb:2-1.4.4.2
[user@dom0 ~]$ qvm-usb -a fedora-25 sys-usb:2-1.4.4.2 # assign printer to fedora template vm
[user@dom0 ~]$ qvm-service sys-usb -e cups # enable printing service on net/usb vm
[user@fedora-25 ~]$ sudo yum install system-config-printer
[user@fedora-25 ~]$ DRIVER=mccgdi-2.0.8-x86_64; wget http://cs.psn-web.net/support/fax/commo ... VER.tar.gz && tar xzf $DRIVER.tar.gz && cd $DRIVER && sudo ./install-driver # optional driver installation step ... for KX-MB2515 in this case
[user@fedora-25 ~]$ system-config-printer # add printer and print a test page
power off fedora-25, reboot and see if sys-usb can print
4 Customization
4.1 Basic GUI and Power Settings
Qubes Menu: System Tools => XFCE Settings:
- microdeck window theme
- panel 20px height
- misc power saving settings
[user@dom0 ~]$ crontab -e
@reboot sudo xenpem set-scaling-governor ondemand
@reboot sudo powertop --auto-tune
4.2 Inter-VM Copy&Paste
# enable inter-vm copy&paste via "Mod4-c" and "Mod4-v" so you can copy&paste while you copy&paste
# srcVm: ctrl-c, win-c -- dstVm: win-v, ctrl-v
[user@dom0 ~]$ sudo vim /etc/qubes/guid.conf
4.3 Sudo Confirm
# enable confirm-dialog for sudo in vms ... to help mitigate exploitation attempts, e.g. vm-breakouts targeting Xen or APTs for user-disk MBR
# i leave passwordless sudo enabled on dom0 for now ... who owns the desktop owns the system/data anyway ...
# agressive screenlock policy recommended, see also https://www.qubes-os.org/doc/vm-sudo/
[user@dom0 ~]$ sudo bash -lc '
echo "/usr/bin/echo 1" > /etc/qubes-rpc/qubes.VMAuth &&
echo "\$anyvm dom0 ask" > /etc/qubes-rpc/policy/qubes.VMAuth'
[user@dom0 ~]$ sudo reboot
[root@fedora-25 ~] vim /etc/pam.d/system-auth # replace the three ^auth lines with this one:
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /usr/bin/grep -q ^1$
[root@fedora-25 ~] vim /etc/sudoers.d/qubes # remove NOPASSWD: keywordfrom user line
[root@fedora-25 ~] rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
[root@fedora-25 ~] rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
[user@fedora-25 ~] sudo ls # test sudo feature BEFORE closing the root shell ...
[root@debian-8 ~] vim /etc/pam.d/common-auth # content with
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
[root@debian-8 ~] vim /etc/sudoers.d/qubes # remove NOPASSWD: keywordfrom user line
[root@debian-8 ~] rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
[root@debian-8 ~] rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
[root@debian-8 ~] vim /etc/pam.d/su # comment out the "auth sufficient pam_permit.so" line
[user@debian-8 ~] sudo ls # test sudo feature BEFORE closing the root shell ...
4.4 Anti Evil Maid
I've choosen to rely on /dev/sda1 for AEM installation, using a SRK secret,
as I really do not wish to enable USB ports due to stuff like BadUSB and the more recent Skylake USB Debug interface.
https://github.com/QubesOS/qubes-antiev ... aid/README
Took me like 20 reboots to get it working.
Hint 1: It's 3rd-gen-i5-i7-sinit-67.zip for i5-3320m,
Hint 2: You also want to make sure that Bios->Advanced->CPU->TXT is enabled.
Hint 3: You need to re-enable TPM in Bios->Security->TPM after using tpm_clear in dom0.
Hint 4: AFAICT, AEM requires the owner password to be zero-bytes, so only set SRK password.
Howto verify AEM works:
1) look for picture/text after entering srk password
2) switch some meaningful bios settings, e.g. toggle usb support on/off
3) look for ABSENCE of picture/text after entering srk password
4) change bios settigns back
5) look for picture/text after entering srk password
4.5 Disable Intel ME/AMT by giving it a ME-cleaned Sleeping Pill
I seem to have stumbled upon an alarmingly trivial race condition within Intel ME local firmware update,
that seems to allow bypassing the second (chip-based) image verification while also allowing to flash the read/write-protected ME region.
So, no need to take yout TB apart and fumble with an external programmer like in the old days.
(exploit this at your own risk and warranty, i am not responsible for your actions, i will not support your sorry ass)
See also: https://github.com/corna/me_cleaner/issues/64
Files for 19mk6-191... https://filebin.ca/3ZoqtxiQEx5m/ME.bin && https://filebin.ca/3ZorKoSiEbI2/MEREG-muchdisable.bin ... or bake your own
1) Update to BIOS V6.00L12, as the shipped BIOS V6.00L10 has "ME local firmware update" disabled. reboot.
2) Boot into BIOS and Reset AMT Config. reboot.
3) flash panasonic ME.bin. reboot.
Code: Select all
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid D6B09D64-DA23-49A9-8888-F663BE603389 -f "ME.bin"Code: Select all
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "ME.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation. All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]
FW Update: [ 35% (Stage: 13 of 19) (-)]6) RESUME, now see 0% ... and program hangs, so press ctrl-c
Code: Select all
^C Update: [ 0% (Stage: 0 of 19) (|)])]Code: Select all
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "MEREG-muchdisable.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation. All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]
FW Update: [ 35% (Stage: 13 of 19) (-)]
FW Update: [ 100% (Stage: 19 of 19) (-)]
FW Update is complete and a reboot will run the new FW.
reboot. lean back. smile -- unless brickedresults of ME disablement:
other oem strings @ panasonic pcinfo http://picpaste.com/diff-pcinfo.png
PRE-BOOT and other ME-Name @ meinfo http://picpaste.com/diff-meinfo.png
Recovery state and two wiped registers @ http://picpaste.com/diff-intelmetool.png
fwupdlcl -fwver shows version, but -save and -f just hang
memanuf reports some error
ctrl-p reports "FW Status Recovery Error" and then just boots
4.6 Customize fedora-25-dvm (optional)
https://www.qubes-os.org/doc/dispvm-customization/
highly recommended: firefox->about:config->reader.parse-on-load.enabled=false # gets rid of braindead "reader view" feature/nagscreen
4.7 Install Windows Tools (optional)
download iso for windows paravirtualization (xen pv drivers, seamless mode, app integration)
[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools
https://www.qubes-os.org/doc/windows-appvms/
I did a quick passmark perfomance test on a win7 within qubes.
the win7 vm has only two of four cores, just 6gb ram and i didnt even bother to install xen pv block drivers for speedy storage access.
the results are still pretty good, especially when compared to a cf19mk3 ;-)
- cf19mk6qubes-win7-passmark8.png (32.22 KiB) Viewed 28344 times
Make sure your settings work as intended ... e.g. I initially forgot to re-setup sudoers confirmation after upgrading from fedora23 to fedora25
This would also be the ideal point in time for running some hardening tools like lynis...
- excel-ified results of lynis -c -Q on some VMs
intended to inspire further hardening - lynis-qubes32-afterguide.png (124.51 KiB) Viewed 28335 times
As of 2017-01-06, Toughbooks are the only laptops known to fulfill Qubes 4.0 system requirements. 
