Guide to Qubes 3.2 on Toughbook 19 mk6 [Trustworthy/HAP/MILS, TPM/AEM/BadUSB, IntelME/AMT/AT, FDE/Linux/Windows]

Post all questions and information about the CF-19 in here.
Message
Author
User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Guide to Qubes 3.2 on Toughbook 19 mk6 [Trustworthy/HAP/MILS, TPM/AEM/BadUSB, IntelME/AMT/AT, FDE/Linux/Windows]

#1 Post by Karl Klammer »

Contents
1 Abstract
1.1 Architecture
1.2 Hardware Support
1.3 Battery Life

2 Installation
2.1 BIOS Preparation
2.2 Qubes Installation
2.3 Upgrade Fedora 23 to 25
2.4 Make Terminals Useful
2.5 Make Xwindows Useful

3 Hardware Setup
3.1 WWAN
3.2 USB Keyboards and Mice
3.3 Touchscreen
3.4 Intel Audio
3.5 Brightness Control
3.6 USB Printer (optional)

4 Customization
4.1 Basic GUI and Power Settings
4.2 Inter-VM Copy&Paste
4.3 Sudo Confirm
4.4 Anti Evil Maid
4.5 Disable Intel ME/AMT by giving it a ME-cleaned Sleeping Pill
4.6 Customize fedora-25-dvm (optional)
4.7 Install Windows Tools (optional)
4.8 Basic Verification Steps

1 Abstract
The QUBES 3.2 Not Playing Well with CF-31 thread inspired me to play around with Qubes on my CF-191HC51FL.
You might want to throw an eye on to page two of the cf31 thread for a detailed overview of the concepts behind Qubes and educated guesses on its future development.

1.1 Architecture
Any two Qubes systems will probably differ a lot more than say any two Ubuntu systems ...
so I've concept-mapped my current setup for reference.
ConceptMap of current setup with sys-net, sys-usb and sys-whonix
ConceptMap of current setup with sys-net, sys-usb and sys-whonix
qubes32cf19mk6-20171031ae.png (178.74 KiB) Viewed 20973 times
1.2 Hardware Support
[x] full support
[p] partial support/work in progress
[?] not tested

[x] Network
- [x] 1.000mbps ethernet
- [x] 100mbps VEB181-Dock ethernet
- [x] Wifi
- [x] WWAN Ericsson
- [?] Bluetooth
[p] User Experience
- [x] Touchpad
- [x] Keyboard
- [x] USB Mouse and Keyboard
- [x] Audio
- [x] Touchscreen
- [p] FrontButtons -- brightness
- [x] FunctionKeys -- brightness, audio, display
- [x] Suspend to RAM
- [x] Anti Evil Maid -- https://github.com/QubesOS/qubes-antiev ... aid/README
- [x] Intel ME/AMT can be cleaned with ME_Cleaner by using the internal programmer
[p] Ports
- [x] GPS
- [p] ALS ambient light sensor
- [x] USB
- [x] PCMCIA
- [?] Firwire
- [?] MMC
- [?] SD
- [x] USB printer -- optional

BTW: You might also be interested in Guide to OpenBSD 5.9 on Toughbook 19 mk6 and mk3,
if you want more details about my models hardware and/or like obscure and secure operating systems ;-)

1.3 Battery Life
Qubes heavily relies on Virtual Machines and has a baseline of five VMs (dom0,sys-usb,sys-net,sys-firewall,sys-whonix).
Translation: You already run five operating systems even before you start any of your own App-VMs.
You should expect 3:30 hours real-world battery life on the mk6.

I did three 20min idling-tests using wlan and 10% constant brightness on heavily optimized bios settings.
(everything disabled, cpu eco mode -- only enabled vt-*, wlan, wwan, gps, touchpad, ahci)
These are the averaged results, computed according to ( (N1time/N1bat*100) + (N2time/N2bat*100) ) / Ncount:
- 3:20hours -- thunderbird hogging 100% of 1 core
- 4:17hours -- just chatting
- 4:35hours -- just chatting, with powertop --auto-tune in dom0 and sys-net

cf19mk6 battery life comparison for light workloads:
9:00h = 100% Windows 7
6:30h = 72% OpenBSD 5.9
4:30h = 50% Qubes 3.2

2 Installation

2.1 BIOS Preparation
Enable features: VT-*, HT, TXE, TPM
Disable all devices that you are not going to use in order to reduce attack surface and battery drain.
In my case: Bluetooth, PCMCIA, Firewire, SD, MMC, LAN, Modem, Serial, GPS, USB*
*USB needs to be enabled during installation

2.2 Qubes Installation
create usb stick and boot from it
install: as you wish
select sys-net, sys-usb, sys-whonix on first boot
reboot, neccessary to detect networking hardware
# update system
Qubes Manager: fedora-23 => Update VM
Qubes Manager: debian-8 => Update VM
[user@dom0 ~]$ sudo qubes-dom0-update # might fail on first run
reboot

2.3 Upgrade Fedora 23 to 25
update fedora-23 (EOL) and switch template vms for all fedora-23 app vms to fedora-25
https://www.qubes-os.org/doc/template/f ... -24-to-25/

2.4 Make Terminals Useful
[user@dom0 ~}$ sudo qubes-dom0-update tmux htop iotop strace
[user@fedora-25 ~}$ sudo yum install tmux htop iotop strace
[user@debian-8 ~}$ sudo apt-get install tmux htop iotop strace perl-doc

2.5 Make Xwindows Useful
[user@fedora-25 ~}$ sudo yum install keepass keepassx # vault
[user@fedora-25 ~}$ sudo yum install mozilla-noscript mozilla-https-everywhere enigmail # mozilla
[user@debian-8 ~}$ sudo apt-get install firefox-esr xul-ext-noscript xul-ext-https-everywhere enigmail # mozilla
[user@debian-8 ~}$ sudo apt-get install vlc mplayer youtube-dl transmission-gtk audacity openscad freemind

3 Hardware

3.1 WWAN
[user@fedora-25 ~]$ sudo yum install ModemManager
[user@dom0 ~]$ crontab -e # WWAN is usb device and thus attaches to sys-usb by default ... we need to move it to sys-net
* * * * * /usr/bin/qvm-usb -a sys-net sys-usb:2-1.2

3.2 USB Keyboards and Mice
[user@dom0 ~]$ sudo vim /etc/qubes-rpc/policy/qubes.Input{Keyboard,Mouse}
# sys-usb dom0 allow
# $anyvm $anyvm deny
a reboot is required to use usb input devices

3.3 Touchscreen
Make sure your Touchscreen (pci 00:1d.0) is not assigned to sys-net/sys-usb and add this do user@dom0 crontab via "crontab -e":
@reboot /usr/bin/sudo /usr/bin/bash -lc 'sleep 3; export DISPLAY=:0.0; echo 0000:00:1d.0 > /sys/bus/pci/drivers/pciback/unbind; sleep 1; echo 0000:00:1d.0 > /sys/bus/pci/drivers/ehci-pci/bind; sleep 1; /usr/bin/xinput set-int-prop "Fujitsu Component USB Touch Panel" "Evdev Axis Calibration" 32 918 15776 637 14913'
You can use xinput_calibrator to generate your own numbers via "sudo qubes-dom0-udate xinput_calibator; xinput_calibator".

3.4 Intel Audio
[user@dom0 ~]$ sudo alsactl init # use @reboot crontab and/or write init skript("systembleh unit file")

3.5 Brightness Control
[user@dom0 ~]$ sudo qubes-dom0-update xbacklight
[user@dom0 ~]$ xbacklight -inc 20 # test
# add "acpi_backlight=Linux acpi_osi=" to end of "GRUB_CMDLINE_LINUX", if xbacklight test fails (my case)
[user@dom0 ~]$ sudo vim /etc/default/grub
[user@dom0 ~]$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
[user@dom0 ~]$ sudo reboot
[user@dom0 ~]$ xbacklight -inc 20 # should work now, also via function keys and front buttons

3.6 USB Printer (optional)
[user@dom0 ~]$ qvm-start fedora-25 # start fedora template vm
[user@dom0 ~]$ qvm-usb -l # identify printer id, e.g. sys-usb:2-1.4.4.2
[user@dom0 ~]$ qvm-usb -a fedora-25 sys-usb:2-1.4.4.2 # assign printer to fedora template vm
[user@dom0 ~]$ qvm-service sys-usb -e cups # enable printing service on net/usb vm
[user@fedora-25 ~]$ sudo yum install system-config-printer
[user@fedora-25 ~]$ DRIVER=mccgdi-2.0.8-x86_64; wget http://cs.psn-web.net/support/fax/commo ... VER.tar.gz && tar xzf $DRIVER.tar.gz && cd $DRIVER && sudo ./install-driver # optional driver installation step ... for KX-MB2515 in this case
[user@fedora-25 ~]$ system-config-printer # add printer and print a test page
power off fedora-25, reboot and see if sys-usb can print


4 Customization

4.1 Basic GUI and Power Settings
Qubes Menu: System Tools => XFCE Settings:
- microdeck window theme
- panel 20px height
- misc power saving settings
[user@dom0 ~]$ crontab -e
@reboot sudo xenpem set-scaling-governor ondemand
@reboot sudo powertop --auto-tune

4.2 Inter-VM Copy&Paste
# enable inter-vm copy&paste via "Mod4-c" and "Mod4-v" so you can copy&paste while you copy&paste
# srcVm: ctrl-c, win-c -- dstVm: win-v, ctrl-v
[user@dom0 ~]$ sudo vim /etc/qubes/guid.conf

4.3 Sudo Confirm
# enable confirm-dialog for sudo in vms ... to help mitigate exploitation attempts, e.g. vm-breakouts targeting Xen or APTs for user-disk MBR
# i leave passwordless sudo enabled on dom0 for now ... who owns the desktop owns the system/data anyway ...
# agressive screenlock policy recommended, see also https://www.qubes-os.org/doc/vm-sudo/

[user@dom0 ~]$ sudo bash -lc '
echo "/usr/bin/echo 1" > /etc/qubes-rpc/qubes.VMAuth &&
echo "\$anyvm dom0 ask" > /etc/qubes-rpc/policy/qubes.VMAuth'
[user@dom0 ~]$ sudo reboot

[root@fedora-25 ~] vim /etc/pam.d/system-auth # replace the three ^auth lines with this one:
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /usr/bin/grep -q ^1$
[root@fedora-25 ~] vim /etc/sudoers.d/qubes # remove NOPASSWD: keywordfrom user line
[root@fedora-25 ~] rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
[root@fedora-25 ~] rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
[user@fedora-25 ~] sudo ls # test sudo feature BEFORE closing the root shell ...

[root@debian-8 ~] vim /etc/pam.d/common-auth # content with
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
[root@debian-8 ~] vim /etc/sudoers.d/qubes # remove NOPASSWD: keywordfrom user line
[root@debian-8 ~] rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
[root@debian-8 ~] rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
[root@debian-8 ~] vim /etc/pam.d/su # comment out the "auth sufficient pam_permit.so" line
[user@debian-8 ~] sudo ls # test sudo feature BEFORE closing the root shell ...

4.4 Anti Evil Maid
I've choosen to rely on /dev/sda1 for AEM installation, using a SRK secret,
as I really do not wish to enable USB ports due to stuff like BadUSB and the more recent Skylake USB Debug interface.

https://github.com/QubesOS/qubes-antiev ... aid/README
Took me like 20 reboots to get it working.
Hint 1: It's 3rd-gen-i5-i7-sinit-67.zip for i5-3320m,
Hint 2: You also want to make sure that Bios->Advanced->CPU->TXT is enabled.
Hint 3: You need to re-enable TPM in Bios->Security->TPM after using tpm_clear in dom0.
Hint 4: AFAICT, AEM requires the owner password to be zero-bytes, so only set SRK password.

Howto verify AEM works:
1) look for picture/text after entering srk password
2) switch some meaningful bios settings, e.g. toggle usb support on/off
3) look for ABSENCE of picture/text after entering srk password
4) change bios settigns back
5) look for picture/text after entering srk password

4.5 Disable Intel ME/AMT by giving it a ME-cleaned Sleeping Pill
I seem to have stumbled upon an alarmingly trivial race condition within Intel ME local firmware update,
that seems to allow bypassing the second (chip-based) image verification while also allowing to flash the read/write-protected ME region.
So, no need to take yout TB apart and fumble with an external programmer like in the old days.
(exploit this at your own risk and warranty, i am not responsible for your actions, i will not support your sorry ass)
See also: https://github.com/corna/me_cleaner/issues/64
Files for 19mk6-191... https://filebin.ca/3ZoqtxiQEx5m/ME.bin && https://filebin.ca/3ZorKoSiEbI2/MEREG-muchdisable.bin ... or bake your own

1) Update to BIOS V6.00L12, as the shipped BIOS V6.00L10 has "ME local firmware update" disabled. reboot.
2) Boot into BIOS and Reset AMT Config. reboot.
3) flash panasonic ME.bin. reboot.

Code: Select all

C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid  D6B09D64-DA23-49A9-8888-F663BE603389 -f "ME.bin"
4) Start flashing panasonic oem ME.bin

Code: Select all

C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid  D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "ME.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation.  All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification:  [ COMPLETE ]
FW Update:  [ 35% (Stage: 13 of 19) (-)]
5) HIBERNATE, after 2-3 seconds in Stage 13 last seen "50%" and Stage 14/19
6) RESUME, now see 0% ... and program hangs, so press ctrl-c

Code: Select all

^C Update:  [ 0% (Stage: 0 of 19) (|)])]
7) Re-Start flashing with cleaned ME.bin. notice how it directly jumps to Stage 13 35%.

Code: Select all

C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid  D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "MEREG-muchdisable.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation.  All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification:  [ COMPLETE ]
FW Update:  [ 35% (Stage: 13 of 19) (-)]
FW Update:  [ 100% (Stage: 19 of 19) (-)]
FW Update is complete and a reboot will run the new FW.
8) reboot. lean back. smile -- unless bricked

results of ME disablement:
other oem strings @ panasonic pcinfo http://picpaste.com/diff-pcinfo.png
PRE-BOOT and other ME-Name @ meinfo http://picpaste.com/diff-meinfo.png
Recovery state and two wiped registers @ http://picpaste.com/diff-intelmetool.png
fwupdlcl -fwver shows version, but -save and -f just hang
memanuf reports some error
ctrl-p reports "FW Status Recovery Error" and then just boots

4.6 Customize fedora-25-dvm (optional)
https://www.qubes-os.org/doc/dispvm-customization/
highly recommended: firefox->about:config->reader.parse-on-load.enabled=false # gets rid of braindead "reader view" feature/nagscreen

4.7 Install Windows Tools (optional)
download iso for windows paravirtualization (xen pv drivers, seamless mode, app integration)
[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools
https://www.qubes-os.org/doc/windows-appvms/

I did a quick passmark perfomance test on a win7 within qubes.
the win7 vm has only two of four cores, just 6gb ram and i didnt even bother to install xen pv block drivers for speedy storage access.
the results are still pretty good, especially when compared to a cf19mk3 ;-)
cf19mk6qubes-win7-passmark8.png
cf19mk6qubes-win7-passmark8.png (32.22 KiB) Viewed 20956 times
4.8 Basic Verification Steps
Make sure your settings work as intended ... e.g. I initially forgot to re-setup sudoers confirmation after upgrading from fedora23 to fedora25
This would also be the ideal point in time for running some hardening tools like lynis...
excel-ified results of lynis -c -Q on some VMs<br />intended to inspire further hardening
excel-ified results of lynis -c -Q on some VMs
intended to inspire further hardening
lynis-qubes32-afterguide.png (124.51 KiB) Viewed 20947 times
Last edited by Karl Klammer on Fri Nov 03, 2017 12:00 pm, edited 53 times in total.

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#2 Post by Karl Klammer »

(merged with initial post)
Last edited by Karl Klammer on Fri Nov 03, 2017 4:04 am, edited 2 times in total.

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#3 Post by kode-niner »

Interesting. Keep us updated on its stability and future developments on the remaining untested and partially supported components.
Daily drives a CF-31

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#4 Post by Karl Klammer »

kode-niner wrote:Interesting. Keep us updated on its stability and future developments on the remaining untested and partially supported components.
are you interested in any particular of the "not tested" ports?


hardware support is rather complete, only really lacking ALS and some of the front buttons.
xen seems to filter most of the powertop --auto-tune goodness (only 8%gain) ... i need to look into xenpm

no crashes so far, it seems to just work and does not get in my way
i had two experiences where mouse+keyboard didnt work on resume-from-ram.
the easy fix/workaround was to close and open the lid again ;-)

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#5 Post by kode-niner »

Karl Klammer wrote:are you interested in any particular of the "not tested" ports?
Not specifically. My interest is marginal and more for curiosity's sake. I've never had any problems sandboxing processes when I need to with standard distros. If Qubes becomes usable on a CF-31 - which I intend to buy eventually - for the tasks that I do, I might consider it.

For the meantime, I consider myself savvy enough to not get pwned without Qube's extraordinary security and nothing I do requires EAL (yet).
Daily drives a CF-31

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#6 Post by Karl Klammer »

Long-term stability update after a month:
- No serious issues so far.
- Touchpad/Keyboard sometimes do not work on resume. Close/Open lid fixes this.
- Touchpad acts erratically on constant high load, when the cpu core temp rises above 64C.
This is probably caused by some sys-usb timing issues in combination with some heat-related hardware design issues.
Closing the lid for 2 minutes fixes this.

I've submitted an entry to the Qubes HCL list and attached the qubes-hcl-report files to this post.
Attachments
Qubes-HCL-Panasonic_Corporation-CF_191HC51FL-20170105-134247.yml.gz
yaml
(648 Bytes) Downloaded 1210 times
Qubes-HCL-Panasonic_Corporation-CF_191HC51FL-20170105-134247.cpio.gz
cpio, anonymized
(8.31 KiB) Downloaded 1131 times

User avatar
Rob
Toughbooktalk Founder
Posts: 3575
Joined: Mon Mar 16, 2009 8:23 pm
Contact:

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#7 Post by Rob »

HOLY TOLEDO...

STICKED! :)
~Rob - Vice President - Rugged Depot~
~Cell: (630)/300-8877~
~Owner - Toughbooktalk~
~Fully rugged Toughbook user since April 18th 2005~
~FZ-40ACAAHKM - Primary Toughbook / Workstation as of 7/29/22
~Win10 Pro (Win11 DG), Intel Core i5-1145G7 (up to 4.4GHz), vPro, 14.0" FHD Gloved Multi Touch, 16GB, 1TB Samsung SSD, Intel Wi-Fi 6, Bluetooth, 4G EM7690, GPS, Quad Pass (BIOS Selectable), Mic and Infrared 5MP Webcam, Standard Battery, TPM 2.0, Emissive Backlit Keyboard, Dual Batteries, USB A + HDMI + Serial X-PAK, Shoulder Strap, Flat~
~AT&T Business 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Platinum Partner~

http://www.toughbooktalk.com
http://downloads.toughbooktalk.com/
http://www.rugged575.com - 300' UHF GMRS Radio Repeater
http://www.crete600.com - 310' UHF Linked GMRS Radio Repeater


~Emergency preparedness starts with reliable communication systems above all. Pretend the internet and cell phones didn’t exist, how will you communicate? If you’re interested in learning more, ask me!~

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#8 Post by Karl Klammer »

:wtf: As of 2017-01-06, Toughbooks are the only laptops known to fulfill Qubes 4.0 system requirements. :headbang:
https://groups.google.com/forum/#!topic ... dTZ0zv2vX4

Robs Depot: where EAL5 meets MIL810G 8)
Sale: get 20% off on your hack- and water-resistant computing needs

@Rob: Use that for marketing, but hurry up, before someone with a flimsy Dell XFR submits a report :rofl:


EDIT 2017-01-08:
A second R3.2 HCL report appeared yesterday, for a Thinkpad that lacks AEM support.
So ... I've spent this morning fooling around with Qubes AEM feature, just to see if I could get that final HCL checkbox green ;-)
The attached journalctl file looks good to me, but I am not an expert on TPM.
BTW: I'm using nail polish as my actual, physical AEM solution... no code means no backdoors ;-)
Attachments
journalctl_anti-evil-maid-unseal.txt
(2.43 KiB) Downloaded 1103 times

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#9 Post by Karl Klammer »

Long-term stability update after 7 months

yeah, works just damn fine :boing:
the touchpad overheating issue can be a bit annoying when gaming on hot days. :confused:

User avatar
SHEEPMAN!
Posts: 2239
Joined: Thu Oct 14, 2010 1:13 pm
Location: TDR-HQ California

Re: Guide to Qubes 3.2 on Toughbook 19 mk6

#10 Post by SHEEPMAN! »

What did you do with sound?

Way back when you were going to write a script.
Fair for you/ Fair for me.
I chose to NOT be organized.

-------------------------------------------------------------------[/color]
http://toughbooktalk.com/
http://forum.notebookreview.com/panasonic/

Post Reply

Return to “CF-19 Talk (Discontinued Model)”