Installing FreeBSD, Dual-Boot, on an X1 Carbon Gen6
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2019-01-27 13:48 by Karl Denninger
in Musings , 201 references Ignore this thread
Installing FreeBSD, Dual-Boot, on an X1 Carbon Gen6*
[Comments enabled]

I've had my Lenovo X220 for a long time.  Time has moved on and yet until this last year I saw no compelling reason to spend money again.  The X220 works great and the "improvements" have been small in number but large in price -- and thus not worth it, in my view.

This last year the X1 Carbon Gen 6 units showed up.  The previous models were nothing special -- but the "6" was nice.  The problem was that "nice" came with a screamingly-stupid price tag, so I passed.  But now you can get the X1 Carbon Gen 6 models in a good configuration (i7, 16Gb RAM and a 500Gb SSD) at a nice price -- refurbished, but still with a decent amount of remaining factory warranty.

Incidentally, Lenovo has a rather nice "companion" app that allows you to (among other things) set the charge controller's maximum charge point on these machines (!!!)  Setting it to 80% will cost you 20% of your runtime but it will double or better the battery's cycle life.  In addition if you're connected to wall power and in the "no-charge window" (e.g. 75%-80%) the system will take its power from the A/C line but not charge, so the battery does not cycle in that state at all.  Setting this is not a Windows thing either -- it programs the charge controller hardware so once set it is persistent even if you boot something other than Windows or the computer is plugged in but off.  I like that a lot -- this ought to be mandatory on any sort of battery-powered mobile device (e.g. a phone), especially if the battery is not user-replaceable.  You know damn well Apple, Samsung and the rest will never do that however since it's part of how they sell both computers and phones -- build them so the battery pukes in about a year and guess what -- you're back in their store!  Oh Tim Crook you piece of crap jackass, why isn't this capability standard on all your MacBooks since you're allegedly the "innovation leader"?

In any event these machines can go 6+ hours of moderate use even with the charge point restriction in place, so you're not giving up much and with this set leaving the unit connected to power does nothing to battery cycle life, unlike virtually every other machine on the market.  Incidentally, the new Coffee Lake processors (Intel Gen 8) are damn fast on a comparative basis.  This is the first "innovation" in laptop CPUs that has been worth spending money on in five+ years, so if you're wondering if it matters -- it does.  In addition these units have Samsung nVME SSDs in them which are blistering fast, plus a Thunderbolt 3 port that can drive external video cards if you wish.  I've seen no reason to "upgrade" from my X220 until now; it's still perfectly functional too, by the way.....

If you want my short list of complaints with "modern" laptops it's the port problem.  Specifically, small and light means compromises when it comes to interior space and thus ports.  Full-size SD slots (for example) consume interior space which is at a premium, so they're disappearing.  Worse, on many machines so are USB Type A connections, which is IMHO utterly unconscionable.  Yes, I know Type C is both smaller and comes with USB-PD, which is superior but there are literally a billion USB-connected devices out there that come with and require a Type "A" plug -- or some sort of adapter -- to use.  Those devices aren't going away for a very long time, and as such having at least one (and preferably two) Type "A" port is IMHO required. Dell has screwed the pooch in this regard with their latest "ultrabook" models; Lenovo has only partially done so (there's no full-size SD slot, but there are two Type A ports.) 

One big advantage of USB-PD connections found on newer devices is that we're moving closer to true interchangeability when it comes to power in the mobile world.  Specifically, I can use the laptop's charger to charge my phone, I can use my phone USB-PD charger (provided it can do 20V output) to charge the laptop (slower, but it should work), my car's USB-PD charger can charge the laptop (I no longer need an inverter) as well my phone and I can use the laptop battery to charge the phone as well.  The latter means that if I need to I can plug the car into the laptop and the phone into the laptop as well on the second USB-C port and both will charge.  This allows me to get rid of multiple things I used to have to carry, or continue to carry them and gain redundancy -- and that's a good thing.

One of the things I find insanely annoying -- and insecure -- is anything Microslug.  Sadly I, like a lot of other people, cannot get away from it in that there's just too much software that I use on a regular basis but is either Apple or Microsoft only.  I prefer a FreeBSD desktop for a lot of things, never mind that I want to do some code development on it when traveling, which of course means I want the code environment I write in 90+% of the time on my laptop.

So if you're inclined the same way I am when it comes to operating systems here's how to dual-boot it -- yes, with UEFI (the "new way of the world.")  Oh, and to do so with full-disk encryption for both environments.  I consider full disk encryption essential on a portable machine because they're much more likely to be lost or stolen than a desktop.  Full disk encryption obviously won't stop someone from stealing the computer but it will make sure if someone does steal it they can't get to any of the data on it.

First, shut off secure boot in the BIOS settings.  That's a Microsoft-signature thing. It does provide (some) security on the boot process, provided you trust Microsoft. I do not, so therefore..... yep.  Note that if you have Bitlocker turned on (and you should if you've been using the machine) the restore process below will result in a non-encrypted Windows installation.  That's fine; you can re-enable it later (and should.)

Next, use Macrium Reflect (the free edition is fine) to make room for a FreeBSD partition.  The best way to do this is to back up the machine (make damn sure you create "boot media" and test it!), then RESTORE all the partitions using that boot media back to the machine's internal disk and, when restoring, resize the system ("Windows") partition to leave an appropriate amount of free space.  100Gb is quite a lot of storage for a user-style FreeBSD system, unlike most WinBlows machines that are flat-out bloated pigs -- which means that pigheaded Winblows and nice FreeBSD will handily fit on a 500Gb nVME SSD and even a 250Gb disk is more than enough (although you may wish to downsize the FreeBSD side to ~60Gb in that event, which is still going to leave you an insane amount of room on that side.)

CAUTION: Do not be tempted to use a partition resizer to do this instead of using Macrium to take a full backup and restore. Several of the below steps have no "are you sure" option or safeties to prevent data destruction; the commands below assume you know what you're doing and take effect instantly.  If you screw up during any of those steps and don't have a backup everything on the machine may be destroyed and it can be rendered unbootable, including any built-in recovery partition.  Without recovery media or a backup and boot media for it you're in big trouble if that happens. Doing it right means knowing you have a good backup and can restore it before you begin, which is exactly what you just did and proved.

Now go here https://www.rodsbooks.com/refind/ to download his EFI boot manager, then install it.  UEFI machines are supposed to provide a decent set of boot management options but damn near none actually do; this bit of code overcomes that problem.  The pages look sort of scary in terms of the amount of material present; they're not.  You need the "zip" file which contains all the pieces necessary.  Grab the package and read the Windows installation instructions; it's very simple to install this from the Windows command prompt.  You only want the "x64" version (there are three; delete the other two before you copy it over.)  To test the installation reboot; the system should show you a boot menu, but the only "real" bootable option will be Windows.  If you screw up typing something what will probably happen is that Windows will start instead of you getting the menu -- go back and check your work if that happens.  You're now set up to choose multiple operating systems painlessly every time you boot the machine.

Download FreeBSD-12 (the x64 version) from https://freebsd.org in the memory stick format and use your favorite tool (e.g. "dd" or win32diskimager) to copy it to a USB key or other similar thing (an SD card in a reader works just fine too.)  Note: You want FreeBSD 12.  You can use 11.x if you wish, but the nice integrated encrypted storage option I'm describing here might not work; I'm not sure if the encryption-aware EFI loader was MFC'd back to 11.x.  You can still set up for encrypted disk storage without that but it's a lot more of a pain in the ass to do than what I'm describing here and makes maintenance using FreeBSD's internal tools more-complicated unless you're quite careful. Use 12; it's both more-secure in that there is no "exposed" non-encrypted boot partition and easy to set up by comparison.

FreeBSD's installer should, in theory, be able to handle a "multi-boot" environment with reasonable facility but doesn't and the only option it offers for automatic setup with encrypted storage uses ZFS on the entirety of one or more disks.  That's reasonable on a dedicated machine with multiple drives but not for a laptop or other computer with one disk and a dual-boot requirement -- so you get to do the disk setup by hand.

Now boot the stick with FreeBSD-12 on it.  On the Lenovo hit ENTER on initial start when prompted and then select F12 to change the "default" boot order and select the USB stick from the drop-down menu.  Start the installer but when you get to the disk layout (there will be four choices; one of which is UFS and one of which is ZFS) select manual (it'll warn you that you have to be an "expert.")

You'll get a "#" (root) prompt.

Now type "gpart show | more" and look.  You should see something like "nvd0" at the top -- which is your SSD.  There should be a large unallocated space (marked " - free - ") of the size you left.  Note it, and that it will not have an index number.

If there is no free space of the size you left YOU ARE LOOKING AT THE WRONG DISK.

Type:

# gpart add -t freebsd-ufs -l freebsd-root -a 4k nvd0 (assuming your disk is named "nvd0" in the above)

This will tell the system to add a partition for FreeBSD to the disk named, consume all remaining available space in that nice large block and put a label on it of "freebsd-root."  This is probably what you want; the label is optional but will help you avoid mistakes while putting the system together.

Now look again at "gpart show | more"; you should see the freebsd-ufs partition you created.  Remember the index number next to it.  If it's "6" then the disk partition is in /dev/nvd0p6.  The numbers may not (probably will not, if you resized from a backup) be in order.  That's ok.

Warning: If you do any of the following to the wrong partition you will destroy whatever is in it.  There are no warnings or safeties on any of these commands; you're acting as "root", and it is assumed "root" knows what he's doing.  That backup you made as the first step will come in real handy if you screw up here so don't do anything stupid to wherever you put the backup -- like erase or destroy it!

BEFORE you press RETURN in any of the below steps look -- TWICE -- at what you just typed or be prepared to use that backup you made and start over!

# geli init -b -g -l 256 -s 4096 /dev/gpt/freebsd-root  (note that "-l" switch is the letter "l" -- not a numeral one)

This initializes encryption on this partition.  "-b" and "-g" tell the system you are going to boot from it, and that the boot system should ask you for the password.  "-s 4096" sets the block size; 4096 is a good choice with a decent split between performance and XTS fuzzing (security), and matches most SSD page sizes which is important on SSDs.  "-l 256" says to use 256-bit AES instead of 128 and is optional.  There's debate over whether 128 or 256 is more-secure; 256 is a bit slower, but not much.  Note that you cannot change either the sector size or AES length once the partition is initialized without erasing everything in the partition you are encrypting.  Unlike Bitlocker on Windows there is no "encrypt in-place" option.

You will be asked for a password.  Use a strong password and do not forget it.  There is no way to recover anything on that partition if you lose it.  Ever.  Period.  There is no recovery key ala Bitlocker; you either have the password (the system does allow you to set a second one but that's beyond the scope of this document) or there's nothing you can do to get the data back.

When that command completes type:

# geli attach /dev/gpt/freebsd-root

And enter the password when prompted.  If it's correct you'll see a couple of lines announcing the filesystem is attached and another root prompt.  If the password is wrong it will tell you; repeat the command and put in the right one.  If you accidentally put in the wrong device name the password will obviously not work since it's not the correct part of the disk.

Now type:

# newfs -t -J -U -L rootfs /dev/gpt/freebsd-root.eli

Note: The ".eli" name on the end denotes the encrypted partition you just attached.  This initializes the filesystem itself; you are telling the system you are on an SSD and want it to use "TRIM" ("-t"), you want Journaling and Soft Updates (both good for performance and data security / reboot speed) and you also want a label called "rootfs".  The last switch isn't really necessary -- but it's good practice.

Now you have to mount that filesystem where the installer wants it so it can put the operating system on there for you:

# mount /dev/gpt/freebsd-root.eli /mnt

And then create two files necessary for the system to boot when you're done -- an /etc/fstab file to tell the system where the filesystem is you created and a loader.conf file so the system knows where to find the root filesystem and to load the encryption driver during the boot process:

In /tmp/bsdinstall_etc/fstab put:

/dev/nvd0p6.eli / ufs rw 1 1

And in /tmp/bsdinstall_boot/loader.conf place:

geom_eli_load="YES"
vfs.root.mountfrom="ufs:nvd0p6.eli"

"vi" is a good choice to do that, assuming you know how to use that editor.  "echo" will work too (one line at a time.)  So will "ee" (Easy Editor.)

(nvd0p6.eli may be different depending on what you saw above -- if unsure look again with "gpart show | more" and look for the index number of the partition.  Note there is no "/dev" prefix and that ".eli" on the end must be present; that's the attached encrypted copy.  Without it the system won't boot as it will try to read the unencrypted device and will see garbage.)

Now you need to mount the existing EFI partition on the drive and copy in the FreeBSD loader. The UEFI boot manager you installed earlier will be able to find it automatically, but to do so you must place the FreeBSD loader that knows how to scan for and read encrypted disk partitions in the correct place. The following commands will do that (the "#" is the root prompt), assuming "nvd0p1" is your EFI boot partition on the disk:

# mkdir /tmp/mount
# mount -t msdos /dev/nvd0p1 /tmp/mount
# mkdir /tmp/mount/EFI/FreeBSD
# cp /boot/loader.efi /tmp/mount/EFI/FreeBSD/bootx64.efi
# umount /tmp/mount
# rmdir /tmp/mount

Now you can type "exit" at the "#" prompt and you will be back in the installer with all the "bits" in the right place for it to put the system on the disk for you.  Do the other usual things in the installer, including setting up networking and similar.

When you're done let the installer run and finish.  When it goes through the normal process and you reboot you should get a boot manager screen with TWO usable options (there will be others as well); one of them should be FreeBSD's "Beastie Head", and selecting that option should immediately prompt you for a password, which is required to unlock and boot the partition you have just set up.

Congratulations; you can then set up X11 if you'd like (e.g. gnome, etc); be aware that the Carbon Gen 6 wants the "scfb" driver declared for X11 to work which is a bit annoying; a file called "driver-scfb.conf" goes in /usr/local/etc/X11/xorg.conf.d once you have xorg loaded and should contain the following to tell it to probe that driver:

Section "Device"
    Identifier "Card0"
    Driver "scfb"
EndSection

Without that Xorg's auto-configuration will not find the Intel graphics and X11 will refuse to start.

Now reboot into Windows and turn Bitlocker back on.  Unlike with X220 where I had to do some rather arcane things with the Group Policy Editor to make that work (Bitlocker would otherwise throw up as soon as I booted FreeBSD) so long as you have loaded the UEFI boot manager and the FreeBSD loader into the EFI partition before you do this it should be fine with you switching back and forth between operating systems -- it is on my machine.  Expect it to raise hell if you tamper with anything in that EFI partition after Bitlocker has initialized, but once you've set everything up there is no reason to screw with that area of the disk again, and in fact if someone does it's probably good for the system to raise a stink about it.  Do be aware that if you use Gnome by default it will try to mount all the partitions it can find when you sign in and will complain a lot if you have the Windows partition encrypted (as expected); the best option there is to turn the automount feature in Gnome off.  Be aware that without policy editing Bitlocker is only as secure as your physical machine and the login passwords on it; TPM-2.0 machines will boot a Bitlocker disk without a PIN entry so if your login password is crap or you use the fingerprint sensor the Windows partition is not secure against someone who can guess or spoof either and the very real possibility exists that Microsoft has a way in to such a booted machine via some Redmond-placed back door.

Finally, delete any existing Macrium Reflect backup XML profiles you used for Windows and re-create them.  Attempting to use the old ones from before you resized the partitions will not work since you've changed the partition layout; they will appear to run initially but error out during the process.  Make a final, new base backup for your Windows side and make sure it verifies, then use the FreeBSD tools of your choice to do so for the Unix side so you're protected there as well.

The only "gotcha" I've noticed is that 802.11ac WiFi isn't recognized but I believe this is still a FreeBSD limitation as of 12-RELEASE.  I don't have an external Thunderbolt dock so I have no idea if an external video card will come up, assuming appropriate entries in the x11 configuration files.

Enjoy!

Note: The options I specify above in setting up the encryption environment make the basic assumption that the purpose of encryption is to protect against a thief getting access to your data.  If your assumption is that you're trying to protect against a determined adversary with nearly-unlimited resource (e.g. a government, a police force, etc) then you have plenty of work to do before choosing those options -- never mind that Bitlocker on Windows is likely not secure against such an adversary at all.

Go to responses (registration required to post)
 



 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last
User Info Installing FreeBSD, Dual-Boot, on an X1 Carbon Gen6 in forum [Market-Ticker] *
Porteno
Posts: 2
Incept: 2019-01-27

Report This As A Bad Post Add To Your Ignored User List
Karl, I immensely respect your writing and positions, but I gotta call ya out on still using Lenovo, even refurbished.

Lenovo has shipped very questionable BIOS level software before: see footnote 1., and they're not above shipping baked in crapware multiple times: see 2.

Given that they're also a Chinese firm and as a result likely get benefits from their state org's IP theft policy, what are you still doing using their stuff?!

Also, given OpenBSD a shot, I've found it's got better power management on a laptop than FreeBSD.

1. https://www.techworm.net/2015/08/lenovo-....
2. https://threatpost.com/lenovo-hit-with-c....
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Well when Dell (and everyone else) stop making laptops that are Windows-specific (which is a much bigger risk security-wise) then I'll consider them. But..... oops, they're made in China too, at least the parts that matter (no, stuffing a board in a case in the US does not make the machine "US".)

NONE of the modern machines from other manufacturers will run with modern non-Windows operating systems properly. They are all including devices that can't be talked to (e.g. WiFi cards!) or other not-nice feature things (like Windows-specific sleep modes that CANNOT be de-selected.) What's worse many of them break all sorts of other **** too (like the video drivers!) with Windows-specific hardware there too.

Oh and by the way those other guys are all Chinese on top of it -- some just hide it better in that they claim "assembly" in the US (some of them anyway), although in point of fact their system boards and BIOSes are all put together in..... China! So if someone's going to play "inject-the-code" games, well, you tell me who's machine I can buy nowdays that doesn't have that exposure?

THERE ISN'T ONE.

The Chinese suck donkey balls and I would laugh my ass off if someone nuked Xi to beyond the orbit of Mars for the bull**** that nation has pulled but until someone actually MAKES a computer in the US what option does someone have? Mine has been (for the last many years) NOT TO BUY AT ALL; my last laptop was purchased in 2011 and my desktop machine has a motherboard (and RAM) in it that was purchased in 2009! Roughly eight years is a long time, and that's been my expression of a boycott, but in that time NOBODY has made a US-based, US-sourced, US-assembled machine for me to choose instead, and among all the laptops, all of them Chineesium, Lenovo makes one of the few (if not the only) options that works properly with non-Windows specific hardware.

Incidentally Lenovo opened a US manufacturing facility in 2013 and began assembling many of their Thinkpads there. But.... that doesn't make them a US company any more than it does Dell.

----------
Winding it down.

Tripseven
Posts: 125
Incept: 2012-04-26

Report This As A Bad Post Add To Your Ignored User List
That's funny KD...you musta known I smoked my HP ProBook *POS* FreeBSD 11.2 system when upgrading to 12.0 so thanks for throwing this out there since I was thinking of getting something more FreeBSD friendly.

Doing a fresh install, I'm still fighting the Intel Graphics driver trying to figure how the hell I got it working last time, which was a bitch! I really want to go back to Win 7 on this machine so I can run my cam software and a couple others that won't run on FreeBSD but damn...$1500-2000 for a refurbished X1 Carbon Gen 6...yikes! You got a cheaper source?

BTW...never mind, link was fixed ;)

----------
Please God, take it all away...we don't deserve what we have!

"I find medicine is the best of all trades, because whether you do any good or not, you still get your money." -Moliere "A Physician in Spite of Himself" 1664
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
They're all over eBAY for about $1,100 set up with i7s, 16Gb of RAM and the 512Gb VME disk (the OFFICIAL Samsung one -- there are some people stuffing cheaper ones in lesser-configured ones; the Samsung nVME disk is a LOT faster), most with ~10-11 months of factory warranty remaining. Make sure whoever you get it from is an actual US Lenovo outlet however since you definitely want US-sourced product.

If it's a UEFI booted machine under FreeBSD it SHOULD use the same driver the Carbon does -- put the file "driver-scfb.conf" in /usr/local/etc/X11/xorf.conf.d with the contents in my post and see if "xinit" will come up.

If not then you get to horse around with the various drivers in the /boot/kernel directory to see if you can find the right one -- IF IT EXISTS. That's part of the problem -- if you have an nVidia chipset in there you're probably ok, but there are plenty of Windows-specific devices out there that WILL NOT play nice with other than Windows as an OS.

----------
Winding it down.

Tonythetiger
Posts: 5
Incept: 2019-01-27

Fort Walton
Report This As A Bad Post Add To Your Ignored User List
Instead of Dual-Booting the system, why not install your FreeBSD and then create a virtual Windows machine using Virtualbox (or primary Windows/virtual FreeBSD)? Use of Virtualbox brings some advantages:

1) The virtual drive is a file on the host system and can be moved to other computers running Virtualbox for use there.
2) You can install as many virtual machines as you can fit on the HD.
3) Virtualbox runs on all host OS's.
4) "Backing up" your virtual machine is as simple as copying a file.

I have been using this approach for years on my antique Toshiba laptop, running Linux as the host OS, with a Win2000 virtual machine (old s/w I use isn't supported by newer Windows OS's). It has been a big improvement over using dual boot, which I did before I discovered Virtualbox.
Tripseven
Posts: 125
Incept: 2012-04-26

Report This As A Bad Post Add To Your Ignored User List
OK thx!

----------
Please God, take it all away...we don't deserve what we have!

"I find medicine is the best of all trades, because whether you do any good or not, you still get your money." -Moliere "A Physician in Spite of Himself" 1664
Porteno
Posts: 2
Incept: 2019-01-27

Report This As A Bad Post Add To Your Ignored User List
ok, that's fair. You're right that barring some minor miracle within the near future that components will continue to be sourced from worldwide. However...

I'm sure I'll sound like a shill here, given just registering and so forth, but I'm using a Librem laptop from Purism, which dictates that all components are free and open source (including drivers). They even include FLOSS microcode updates so you don't need to compromise your system there via some Intel proprietary blob.

That means there's no crapware from the BIOS on down (the BIOS is also FLOSS). Sure, there's possibility for supply chain attacks or shady vendors, but I feel like this is the best one can do today.

I'm not advocating full on Stallman mode here but it does provide an alternative, with well supported hardware (WIFI/display/sound drivers) due to their open source nature. I've made the financial choice to pay more for their hardware and it's been completely worth it.

I won't link in an attempt to sound slightly less shill-y, but I encourage you to read up on their philosophy. I'm just posting this as a supportive user who ran OpenBSD successfully on their laptop on the first pass (now using Arch Linux for various professional reasons).
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Tonythetiger -
Quote:
Instead of Dual-Booting the system, why not install your FreeBSD and then create a virtual Windows machine using Virtualbox (or primary Windows/virtual FreeBSD)?

Several reasons:

1. Running FreeBSD under Windows using its hypervisor can be done. But if the point is to NOT run Windows except when you want/need it that's self-defeating.

2. Xen, and similar, can run as a bare-metal hypervisor. But, and this is a BIG but, you lose all the nice power management doing that. On a desktop not a big deal; on a laptop it is a very big deal indeed.

3. Licensing issues. The Win10 license that comes with the machine is hardware-tied. Run through an abstraction layer and it may refuse to authenticate. Now I get to either buy one or steal one. Naw.

4. Overhead. Why pay if in terms of performance and power if I don't need it? If I'm running multiple virtual machines at once I have a reason to do that. On a laptop that sounds silly.

Dual-boot used to be a five-alarm pain in the ass, especially if you wanted to run Windows with Bitlocker, as Bitlocker would throw up all over you as soon as you booted the other operating system since doing so had to leave a "tag" in the boot area, so it flagged the machine as compromised. UEFI has basically fixed that, provided you put the things you need in the EFI area BEFORE you turn it on (and then don't **** with any of those files.) FDE was also somewhat of a pain to set up for FreeBSD; now it no longer is, which is nice.

And while the SJW jack*******s have had some infiltration into FreeBSD world (I've seen a few of the blowups on the mailing lists over the last few years) there is hard evidence that the Linux world and all things related to it have been irreparably compromised by that douchebaggery. How and if that has impacted security is unknown but this much I'm certain of: I want the best mind working on security-related things that I can find, not the one who shows up with the largest gages in its ears, has the wildest hair, or the 57th gender that it has dreamed up last week AND GOT THE GUY WHO IS SMARTER THROWN OFF THE PROJECT BECAUSE HE CALLED BULL**** ON ALL OF THAT GARBAGE.

----------
Winding it down.

Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Porteno --
Quote:
I'm sure I'll sound like a shill here, given just registering and so forth, but I'm using a Librem laptop from Purism, which dictates that all components are free and open source (including drivers). They even include FLOSS microcode updates so you don't need to compromise your system there via some Intel proprietary blob.

Nice try, no donut.

From Purism't own page they claim to source from China and Taiwan, along with the other usual places. Intel's microcode is encrypted so whether they have something in there that potentially splays keys around (in the AES-NI instruction set context) is impossible for them to control. Do I like disabling the ME? Yeah, if that's your point of concern. Incidentally you can shut that off in the BIOS, but of course this assumes you believe it's actually off when you say "off." Then again I have to trust the microcode too, so...... yeah.

Point here being if your threat model concerns unlimited-budget attacks then you've got a different realm of issue than most and you need to pay close attention to such. If so then NEVER running anything Microsoft, Apple or Google, ever, anywhere, is NECESSARY. Is your threat model in that realm? REALLY?

As soon as you load something like Windows on that machine you're back where you started. Again, what's the threat model you're concerned about and what are you trying to secure against?

The other issue is that frankly, if you're going to run a 7th gen or previous laptop CPU you're not getting much more than the 2011-era designs. It's the Coffee Lake processors (8th gen) that made it worth buying something new in the first place. Not kidding in this regard -- the real big difference between an X220 all the way through the 7th generation chops is that the X220 has a lower resolution screen and uses more power (TDP is higher on the CPU.) If you think I'm going to go spend close to $2 large on a laptop that is little if not no better than my 2011-era X220 in terms of performance, which incidentally you can buy used on the market today for about $250 and which have a robust parts supply available if/when you need them -- such as a replacement keyboard all the way through to a replacement system board should the need arise -- you're smoking crack.

----------
Winding it down.

Tripseven
Posts: 125
Incept: 2012-04-26

Report This As A Bad Post Add To Your Ignored User List
"If it's a UEFI booted machine under FreeBSD it SHOULD use the same driver the Carbon does -- put the file "driver-scfb.conf" in /usr/local/etc/X11/xorf.conf.d with the contents in my post and see if "xinit" will come up."

HELL YES!!! xinit good! startx running! Man you just saved me a massive headache from having to sift through /boot/kernel directory. That's what I did last time and it took FOREVER. Not documenting it was dumb dumb dumb! But, it was my FreeBSD training wheels days...although I'm still wearing them compared to you Daemons.

If anyone is interested in giving FreeBSD a shot Trihexagonal has a great tutorial at...
http://trihexagonal.org/tutorial.html
or
https://forums.freebsd.org/threads/begin....
(hope it is OK to post that Karl).
Especially if you have an old computer laying around that pukes with Windoze.

Thanks bigtime Karl!

----------
Please God, take it all away...we don't deserve what we have!

"I find medicine is the best of all trades, because whether you do any good or not, you still get your money." -Moliere "A Physician in Spite of Himself" 1664
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Note that for X11 if you have a Radeon or nVidia card you need the proper kernel driver and probably (for nVidia cards) drm-next; the above is what UEFI usually sets up if you're on Intel's "integrated" graphics with their somewhat-modern to modern processors. I have no idea if it will work with either a Radeon or nVidia graphics setup and expect it probably will not.

nVidia cards in particular can be a pain in the ass under X11 because there are so many different manufacturers and not all of them use nVidia's "base" driver set -- those that don't and have their own proprietary driver for Windows tend to be trouble, either not working at all or being unstable. The "mainstream" manufacturer boards are usually ok -- but not all.

----------
Winding it down.

Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Tripseven -- unless you have a very good reason to use ports (you want to change options, for example, from the defaults) pkg is a HELL of a lot faster and takes MUCH less disk space.

Ports builds from source. Pkg installs pre-built ports. If you need options control on a given package then ports it should be, and yes, you shouldn't mix one with the other on a given system. But for most end-user systems pkg is both faster and easier to deal with since you don't get an options screen to go through where you have utterly no ****ing idea what 99 out of 100 of the options do.

----------
Winding it down.
Tripseven
Posts: 125
Incept: 2012-04-26

Report This As A Bad Post Add To Your Ignored User List
You read my mind or read my post over there ;)

Darn, I just installed port
cd /usr/ports/x11-drivers/xf86-video-scfb/ && make install clean
and I believe some others using the tutorial.

Would I have to deinstall them all then use pkg to reinstall?

----------
Please God, take it all away...we don't deserve what we have!

"I find medicine is the best of all trades, because whether you do any good or not, you still get your money." -Moliere "A Physician in Spite of Himself" 1664
Little_eddie
Posts: 1219
Incept: 2009-04-30

Delaware
Report This As A Bad Post Add To Your Ignored User List
I'm going the other way and I'm almost there.

I'm trying to do away with windows altogether, I do still have a laptop running Windows 10 but it doesn't get used all that often.

I also have another laptop running windows 7 but that's because I still run one game that was last updated back in 1995 and while most of it runs fine on Wine some things still need a windows box.

Now if I was still trading I know a lot of the software only runs on windows 10, but that's just another good reason to stop trading.

----------
Think of how stupid the average person is, and realize half of them are stupider than that. - George Carlin

Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Tripseven -
Quote:
Darn, I just installed port
cd /usr/ports/x11-drivers/xf86-video-scfb/ && make install clean
and I believe some others using the tutorial.

Would I have to deinstall them all then use pkg to reinstall?

NEED to? No. MOST of the time using pkg and ports together won't bite you.

MOST of the time.

The risk is generally that one may be more up to date than the other, or (worse) you select an option that has a dependency change associated with it. That usually doesn't happen, but it can....

----------
Winding it down.
Tripseven
Posts: 125
Incept: 2012-04-26

Report This As A Bad Post Add To Your Ignored User List
Started from scratch using pkg this time on all. That loaded WAY faster!

Thx again

----------
Please God, take it all away...we don't deserve what we have!

"I find medicine is the best of all trades, because whether you do any good or not, you still get your money." -Moliere "A Physician in Spite of Himself" 1664
Bennfine
Posts: 6
Incept: 2012-12-05

Report This As A Bad Post Add To Your Ignored User List
Noob question here....I so agree with Karl that a laptop should be encrypted (and this is not really emphasized anywhere).

My question-how does encryption work with dropbox? I love dropbox to sync my files from home to work. If I encrypt my laptop what happens? Thanks.
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Nothing on Dropbox is secure, ever, period.

If you need secure storage and transport set up a VPN and use it to connect from the remote to the place where the files are, and store those files in that place on an encrypted filesystem using an OS you trust (which is most-emphatically NOT Windows.)

Dropbox is fine for pictures of your cat -- if you don't give a **** who gets their hands on them.

----------
Winding it down.
Chemdude
Posts: 11
Incept: 2017-08-29

Report This As A Bad Post Add To Your Ignored User List
Is there any reason to hope that there may be an open, FreeBSD-based smartphone? Or are the economics of such a project too poor to draw entrepreneurial interest. Any color you may be able to add on the issue would be gratefully appreciated!

I only ask because my own experiences with running FreeBSD as a storage server and separately as a router have been stellar.

(Great write-up on the FreeBSD laptop! Thinkpads are fantastic in this regard)
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
The issue becomes the RIL, which is closed-source code to talk to the RF side, and that others have tried (e.g. BB10) and gotten nowhere in terms of market acceptance.

Without the apps nobody will buy, and without buyers nobody builds the apps. How do you solve that?

----------
Winding it down.

Struggler
Posts: 4
Incept: 2019-01-28

Report This As A Bad Post Add To Your Ignored User List
Quote: Instead of Dual-Booting the system, why not install your FreeBSD and then create a virtual Windows machine using Virtualbox....?

KD replied: Several reasons: 1. Running FreeBSD under Windows using its hypervisor can be done. But if the point is to NOT run Windows except when you want/need it that's self-defeating.

I thought the idea was that FreeBSD is the OS, and Windows doesn't run unless you open the VM and boot Windows inside it.

This stuff is important to me. I need a new laptop, I don't want Mac, and I would rather go offline than use Windows10. I was going to go Linux + WINE but I am as worried as everyone else by what is happening. I would like to try FreeBSD - but I couldn't cope with the setup described here because if I made any mistakes at all I'd be stuffed, I simply wouldn't know what to do. But I might be able to set up FreeBSD and a VM without driving myself insane.

OTOH are there any laptops still made that will run Windows7?
Tickerguy
Posts: 156031
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
FreeBSD has WINE as well, and to a material degree it works. The problem of course is when it doesn't, and there's a performance hit involved in using it.

Using FreeBSD as the host runs into potential licensing issues, because the license is hardware-bound and may not activate when run in a VM. I haven't tried it but unless you have a volume license that is hardware-agnostic it probably won't. The OEM licenses that companies buy from Microsoft are tied to the hardware architecture in question and by definition a VM is not going to match it.

Frankly, dual-boot is IMHO the better choice unless you need access to both at once, THEN you want the VM answer. VMs are great in their intended use, which is of course more than one environment running at one time.

Again on a desktop it might make sense. Maybe. But on a laptop I would argue it rarely if ever does.

----------
Winding it down.
Maurevel
Posts: 620
Incept: 2009-06-14

Canada
Report This As A Bad Post Add To Your Ignored User List
Many thanks for this write-up.
Rufust445
Posts: 789
Incept: 2007-08-11

Emerald City
Report This As A Bad Post Add To Your Ignored User List
Porteno wrote..
Karl, I immensely respect your writing and positions, but I gotta call ya out on still using Lenovo, even refurbished.

Lenovo has shipped very questionable BIOS level software before: see footnote 1., and they're not above shipping baked in crapware multiple times: see 2.


What he said. The rest is a far deeper dive than I'd care to take w.o getting a headache.

Sent from my HP Elite Book (pre-2011) running Linux Mint 17.3.
(in dual boot w. Windows 10)

----------
"The stock market isn't bullish, it's bull$hit." -- Alan King
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last