Where the rubber meets the road… (part one)

So, if you read my recent post on setting up a virtual machine multi-boot image with OpenBSD and Linux, you’ll be familiar with the background for this post.  Today, I’m going to detail the exact steps I took to set up my new work laptop, a Thinkpad X1 Carbon (4th Generation Skylake) laptop running Arch Linux and OpenBSD.  Since we don’t have solid support yet for Skylake, there are some interesting workarounds that others, far smarter than me, were kind enough to leave on the Internet.  I’ll detail those and give credit to the original authors below.

First off, let’s talk about why I’m doing this.  As some of you may know, I’ve been a bit of an Apple fanboi for quite some time.  So the concept of me moving off of Apple hardware to a <yuck> “PC” </yuck> was something that, quite frankly freaked out some of my friends.  One of them described it as one of the four signs of the apocalypse!

So, given that, why do I want to do it.  There is an old saying that you can throw a frog in a pot of boiling water and it will jump out to save itself, but if you put it in a pot of cool water and slowly raise the temperature, it will let itself be boiled to death because the change was so gradual.  Gross!  However, pretty apt to describe my situation.  Every Apple product that comes out is (read this in a Jony Ive accent) “x percent thinner and lighter than the previous one!”  Well, I’ve often wished that Apple would do certain things to the hardware – make it more standard, faster, more RAM, more battery life, etc.  However, I never asked for “thinner and lighter”.

As a result, when I saw the 12″ Macbook released I thought it would be a nice travel laptop and overlooked the fact that it had a single USB-C port (who doesn’t like dongles), in a stiff breeze it might blow over on a table, the CPU was massively under-powered and the NVMe hard drive in it is so weird it actually reports the wrong PCI device ID when queried by the bus.  But whatever, it was thinner and lighter.  Nevermind that I ended up carrying more dongles and adapters in my backpack to offset the weight “loss” and that USB-C can sometimes be finicky and a pain in the butt.  Oh and that extra thin keyboard.  What a pain to type on.  Oh and don’t get me started on the number of times I had to mash the power button for a hard reboot when it didn’t wake from sleep…

Then came the spate of bugs in iOS.  I can’t tell you how many times I’ve had to hard reboot my phone just to do things like make calls.  Oh, and the recurring one where my phone is ringing and the UI is locked up and won’t swipe to answer – awesome!  Then came macOS Sierra.  With kernel panics weekly (hadn’t seen one of those since Tiger), the 6-10 times per day where my external display blanks for 3-5 seconds and that Mail and Calendar crash daily for me.  I had hoped that the .1 release would fix the problems – it didn’t.

So I finally realized I was loving a glorified historical Apple and that I really wasn’t a happy user.  Then came the new Macbook Pro.  For the first time, I saw a new laptop that I didn’t actually want to buy.  As a VI user, the thought of having a fake escape key sounded awful and the little touch screen was little more than a gimmick.  Plus the under powered hardware and that “blessed” thin keyboard again?  No thanks.  So I made the hard decision to make the switch, did my research and settled on this setup.  Whew.  Some backstory!

OK, so I planned on getting the new laptop out of its box, shrinking the Windows partition, adding in Arch and OpenBSD (both with full disk encryption – remember the name of this blog).  Should be fun.

Shrinking the Windows partition was pretty simple.  I booted up, let it do it’s “first time you boot Windows” business, rebooted just to be sure I was in a clean state.  Rebooted and went into Disk Manager.  Resized the partition down to 200G, created three blank partitions – Arch /boot, Arch encrypted luks volume and OpenBSD “slice” (I chose to leave them unassigned relative to drive letters or paths and didn’t format them, I just wanted place-holders) and rebooted to be sure it all still worked.  It did.

Here’s where it got fun.  Time to boot the Arch install media and get started.  I based my install on this excellent blog post.  Also, based on this post, I took the recommendation and turned off secure boot.  The first thing I noticed was that the NVMe drive showed up as a different type of animal on Arch than I had expected.  It wasn’t a /dev/sd* device, it was /dev/nvme0n1 and my partitions were /dev/nvme0n1p1, etc.  So here is where I give you kids a PRO TIP.  When you are creating your encrypted luks volume, don’t get confused by the fact that there is a number in the base device name and think you are telling it to encrypt that partition and instead create a luks volume on the entire drive.  Yep.  That’s what I did.  Darnit! I could use the rescue partition – oh wait, I managed to whack that too.

Oh well, I don’t like Windows anyhow, so I’ll salve my pride by saying I intended for this to be a dual-boot install not a triple-boot one.  If I ever need to update the BIOS I’ll cross that bridge when I come to it.  So, starting from the top.  I booted the Arch install media, put a new GPT partition table on the disk and created three partitions.  A /boot partition that was type 8300, a luks container for my encrypted volume (type 8300 as well initially), and a type a600 partition for my OpenBSD slice.  I formatted the /boot partition as FAT32 and created a root, home and swapfile in the encrypted luks/lvm partition.  I did the install of Arch into it, rebooted and all was good.

I then set up a gnome desktop with gdm as the display manager (enabled on boot), created my default user (which I added to the wheel group and tweaked sudoers to allow me to run root commands when I need to) and installed my apps.  I rebooted and everything was swell.  The system handled my HiDPI display just fine, recognized all of the devices and even had hibernate / sleep working out of the box.  The only tweak I had to do was to disable Wayland because I intend to use Virtualbox to run my Windows VM for Skype for Business (the only reason I ever have to go to Windows these days).

In total, I ended up adding the following packages from the base Arch repository:

  • xorg-server
  • xorg-server-utils
  • xf86-video-intel (select libinput for the trackpad based on the earlier post I referenced on turning off secure boot)
  • mesa-libgl
  • gnome
  • gnome-shell
  • gnome-extra
  • gnome-initial-setup
  • gnome-software
  • gnome-tweak-tool
  • gnome-shell-extensions
  • evolution
  • evolution-ews (interestingly I had to first set up a non Exchange mail account before I could successfully set up an Exchange account)
  • firefox (follow this hardening guide for privacy optimization)
  • libreoffice (I installed stable because “fresh” seemed to oddly have some HiDPI problems)
  • aspell-en
  • chromium (for the rare times I have a site that doesn’t work on my locked down version of firefox)
  • openconnect and networkmanager-openconnect (we have a Cisco firewall at work)
  • vim (because it’s better than Emacs <grin>)
  • networkmanager
  • nmap
  • git
  • virtualbox (see this wiki entry on how to configure)
  • virtualbox-guest-iso
  • vlc and qt4 (so I can have the GUI)
  • ufw
  • openvpn and networkmanager-openvpn
  • freerdp
  • remmina
  • gstreamer

From the Arch User Repository (AUR), I installed the following:

  • slack-desktop
  • owncloud-client-service
  • skypeforlinux-bin
  • bluejeans
  • font-manager
  • hipchat4
  • tor-browser-en

OK.  Now for the fun part – installing OpenBSD.  I rebooted off of the latest snapshot install media, popped out to the shell and discovered to my dismay that it looks like my NVMe drive is not supported yet.  Dangit!  OK.  I think I know how to fix this, I’ll build a patched kernel and see if I can get around this – darned PCI device identifiers.  That will have to go in a separate blog post.

This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Where the rubber meets the road… (part one)

  1. nikken says:

    Hey,
    as far as nuking your rescue partition goes, Lenovo have been offering for quite some time bootable BIOS images that you can… burn to Disc and then use with a… Disc drive… I’ve bought a dongle (ha) external DVD drive that has so far served me well when updating my Thinkpads’ BIOSs!

  2. Pingback: Where the rubber meets the road (part two) | FunctionallyParanoid.com

  3. Pingback: The APU, BSD Style! | BSD Now 171 | Jupiter Broadcasting

  4. Spauldo says:

    The first thing to do whenever you get a new Thinkpad (and probably any laptop, really) is create the restore media. That way, it doesn’t matter if you accidentally (*cough* intentionally) nuke your restore partition.

    I like to go a step further, though. For the last two Thinkpads I’ve bought, I’ve gotten them with the smallest and cheapest disk possible. Then I buy the disk I want separately. When I get the Thinkpad, I create the restore media, do any BIOS updates, and then remove the drive and replace it with the new one. Then I install Linux (can’t do BSD, unfortunately – I need some Linux-only software).

    The nice thing is that if I need any warranty work done, I can pop the original drive back in.

Leave a Reply

Your email address will not be published. Required fields are marked *