in Musings , 475 references
I've had my Lenovo X220 for a long time. Time has moved on and yet until this last year I saw no compelling reason to spend money again. The X220 works great and the "improvements" have been small in number but large in price -- and thus not worth it, in my view.
This last year the X1 Carbon Gen 6 units showed up. The previous models were nothing special -- but the "6" was nice. The problem was that "nice" came with a screamingly-stupid price tag, so I passed. But now you can get the X1 Carbon Gen 6 models in a good configuration (i7, 16Gb RAM and a 500Gb SSD) at a nice price -- refurbished, but still with a decent amount of remaining factory warranty.
Incidentally, Lenovo has a rather nice "companion" app that allows you to (among other things) set the charge controller's maximum charge point on these machines (!!!) Setting it to 80% will cost you 20% of your runtime but it will double or better the battery's cycle life. In addition if you're connected to wall power and in the "no-charge window" (e.g. 75%-80%) the system will take its power from the A/C line but not charge, so the battery does not cycle in that state at all. Setting this is not a Windows thing either -- it programs the charge controller hardware so once set it is persistent even if you boot something other than Windows or the computer is plugged in but off. I like that a lot -- this ought to be mandatory on any sort of battery-powered mobile device (e.g. a phone), especially if the battery is not user-replaceable. You know damn well Apple, Samsung and the rest will never do that however since it's part of how they sell both computers and phones -- build them so the battery pukes in about a year and guess what -- you're back in their store! Oh Tim Crook you piece of crap jackass, why isn't this capability standard on all your MacBooks since you're allegedly the "innovation leader"?
In any event these machines can go 6+ hours of moderate use even with the charge point restriction in place, so you're not giving up much and with this set leaving the unit connected to power does nothing to battery cycle life, unlike virtually every other machine on the market. Incidentally, the new Coffee Lake processors (Intel Gen 8) are damn fast on a comparative basis. This is the first "innovation" in laptop CPUs that has been worth spending money on in five+ years, so if you're wondering if it matters -- it does. In addition these units have Samsung nVME SSDs in them which are blistering fast, plus a Thunderbolt 3 port that can drive external video cards if you wish. I've seen no reason to "upgrade" from my X220 until now; it's still perfectly functional too, by the way.....
If you want my short list of complaints with "modern" laptops it's the port problem. Specifically, small and light means compromises when it comes to interior space and thus ports. Full-size SD slots (for example) consume interior space which is at a premium, so they're disappearing. Worse, on many machines so are USB Type A connections, which is IMHO utterly unconscionable. Yes, I know Type C is both smaller and comes with USB-PD, which is superior but there are literally a billion USB-connected devices out there that come with and require a Type "A" plug -- or some sort of adapter -- to use. Those devices aren't going away for a very long time, and as such having at least one (and preferably two) Type "A" port is IMHO required. Dell has screwed the pooch in this regard with their latest "ultrabook" models; Lenovo has only partially done so (there's no full-size SD slot, but there are two Type A ports.)
One big advantage of USB-PD connections found on newer devices is that we're moving closer to true interchangeability when it comes to power in the mobile world. Specifically, I can use the laptop's charger to charge my phone, I can use my phone USB-PD charger (provided it can do 20V output) to charge the laptop (slower, but it should work), my car's USB-PD charger can charge the laptop (I no longer need an inverter) as well my phone and I can use the laptop battery to charge the phone as well. The latter means that if I need to I can plug the car into the laptop and the phone into the laptop as well on the second USB-C port and both will charge. This allows me to get rid of multiple things I used to have to carry, or continue to carry them and gain redundancy -- and that's a good thing.
One of the things I find insanely annoying -- and insecure -- is anything Microslug. Sadly I, like a lot of other people, cannot get away from it in that there's just too much software that I use on a regular basis but is either Apple or Microsoft only. I prefer a FreeBSD desktop for a lot of things, never mind that I want to do some code development on it when traveling, which of course means I want the code environment I write in 90+% of the time on my laptop.
So if you're inclined the same way I am when it comes to operating systems here's how to dual-boot it -- yes, with UEFI (the "new way of the world.") Oh, and to do so with full-disk encryption for both environments. I consider full disk encryption essential on a portable machine because they're much more likely to be lost or stolen than a desktop. Full disk encryption obviously won't stop someone from stealing the computer but it will make sure if someone does steal it they can't get to any of the data on it.
First, shut off secure boot in the BIOS settings. That's a Microsoft-signature thing. It does provide (some) security on the boot process, provided you trust Microsoft. I do not, so therefore..... yep. Note that if you have Bitlocker turned on (and you should if you've been using the machine) the restore process below will result in a non-encrypted Windows installation. That's fine; you can re-enable it later (and should.)
Next, use Macrium Reflect (the free edition is fine) to make room for a FreeBSD partition. The best way to do this is to back up the machine (make damn sure you create "boot media" and test it!), then RESTORE all the partitions using that boot media back to the machine's internal disk and, when restoring, resize the system ("Windows") partition to leave an appropriate amount of free space. 100Gb is quite a lot of storage for a user-style FreeBSD system, unlike most WinBlows machines that are flat-out bloated pigs -- which means that pigheaded Winblows and nice FreeBSD will handily fit on a 500Gb nVME SSD and even a 250Gb disk is more than enough (although you may wish to downsize the FreeBSD side to ~60Gb in that event, which is still going to leave you an insane amount of room on that side.)
CAUTION: Do not be tempted to use a partition resizer to do this instead of using Macrium to take a full backup and restore. Several of the below steps have no "are you sure" option or safeties to prevent data destruction; the commands below assume you know what you're doing and take effect instantly. If you screw up during any of those steps and don't have a backup everything on the machine may be destroyed and it can be rendered unbootable, including any built-in recovery partition. Without recovery media or a backup and boot media for it you're in big trouble if that happens. Doing it right means knowing you have a good backup and can restore it before you begin, which is exactly what you just did and proved.
Now go here https://www.rodsbooks.com/refind/ to download his EFI boot manager, then install it. UEFI machines are supposed to provide a decent set of boot management options but damn near none actually do; this bit of code overcomes that problem. The pages look sort of scary in terms of the amount of material present; they're not. You need the "zip" file which contains all the pieces necessary. Grab the package and read the Windows installation instructions; it's very simple to install this from the Windows command prompt. You only want the "x64" version (there are three; delete the other two before you copy it over.) To test the installation reboot; the system should show you a boot menu, but the only "real" bootable option will be Windows. If you screw up typing something what will probably happen is that Windows will start instead of you getting the menu -- go back and check your work if that happens. You're now set up to choose multiple operating systems painlessly every time you boot the machine.
Download FreeBSD-12 (the x64 version) from https://freebsd.org in the memory stick format and use your favorite tool (e.g. "dd" or win32diskimager) to copy it to a USB key or other similar thing (an SD card in a reader works just fine too.) Note: You want FreeBSD 12. You can use 11.x if you wish, but the nice integrated encrypted storage option I'm describing here might not work; I'm not sure if the encryption-aware EFI loader was MFC'd back to 11.x. You can still set up for encrypted disk storage without that but it's a lot more of a pain in the ass to do than what I'm describing here and makes maintenance using FreeBSD's internal tools more-complicated unless you're quite careful. Use 12; it's both more-secure in that there is no "exposed" non-encrypted boot partition and easy to set up by comparison.
FreeBSD's installer should, in theory, be able to handle a "multi-boot" environment with reasonable facility but doesn't and the only option it offers for automatic setup with encrypted storage uses ZFS on the entirety of one or more disks. That's reasonable on a dedicated machine with multiple drives but not for a laptop or other computer with one disk and a dual-boot requirement -- so you get to do the disk setup by hand.
Now boot the stick with FreeBSD-12 on it. On the Lenovo hit ENTER on initial start when prompted and then select F12 to change the "default" boot order and select the USB stick from the drop-down menu. Start the installer but when you get to the disk layout (there will be four choices; one of which is UFS and one of which is ZFS) select manual (it'll warn you that you have to be an "expert.")
You'll get a "#" (root) prompt.
Now type "gpart show | more" and look. You should see something like "nvd0" at the top -- which is your SSD. There should be a large unallocated space (marked " - free - ") of the size you left. Note it, and that it will not have an index number.
If there is no free space of the size you left YOU ARE LOOKING AT THE WRONG DISK.
# gpart add -t freebsd-ufs -l freebsd-root -a 4k nvd0 (assuming your disk is named "nvd0" in the above)
This will tell the system to add a partition for FreeBSD to the disk named, consume all remaining available space in that nice large block and put a label on it of "freebsd-root." This is probably what you want; the label is optional but will help you avoid mistakes while putting the system together.
Now look again at "gpart show | more"; you should see the freebsd-ufs partition you created. Remember the index number next to it. If it's "6" then the disk partition is in /dev/nvd0p6. The numbers may not (probably will not, if you resized from a backup) be in order. That's ok.
Warning: If you do any of the following to the wrong partition you will destroy whatever is in it. There are no warnings or safeties on any of these commands; you're acting as "root", and it is assumed "root" knows what he's doing. That backup you made as the first step will come in real handy if you screw up here so don't do anything stupid to wherever you put the backup -- like erase or destroy it!
BEFORE you press RETURN in any of the below steps look -- TWICE -- at what you just typed or be prepared to use that backup you made and start over!
# geli init -b -g -l 256 -s 4096 /dev/gpt/freebsd-root (note that "-l" switch is the letter "l" -- not a numeral one)
This initializes encryption on this partition. "-b" and "-g" tell the system you are going to boot from it, and that the boot system should ask you for the password. "-s 4096" sets the block size; 4096 is a good choice with a decent split between performance and XTS fuzzing (security), and matches most SSD page sizes which is important on SSDs. "-l 256" says to use 256-bit AES instead of 128 and is optional. There's debate over whether 128 or 256 is more-secure; 256 is a bit slower, but not much. Note that you cannot change either the sector size or AES length once the partition is initialized without erasing everything in the partition you are encrypting. Unlike Bitlocker on Windows there is no "encrypt in-place" option.
You will be asked for a password. Use a strong password and do not forget it. There is no way to recover anything on that partition if you lose it. Ever. Period. There is no recovery key ala Bitlocker; you either have the password (the system does allow you to set a second one but that's beyond the scope of this document) or there's nothing you can do to get the data back.
When that command completes type:
# geli attach /dev/gpt/freebsd-root
And enter the password when prompted. If it's correct you'll see a couple of lines announcing the filesystem is attached and another root prompt. If the password is wrong it will tell you; repeat the command and put in the right one. If you accidentally put in the wrong device name the password will obviously not work since it's not the correct part of the disk.
# newfs -t -J -U -L rootfs /dev/gpt/freebsd-root.eli
Note: The ".eli" name on the end denotes the encrypted partition you just attached. This initializes the filesystem itself; you are telling the system you are on an SSD and want it to use "TRIM" ("-t"), you want Journaling and Soft Updates (both good for performance and data security / reboot speed) and you also want a label called "rootfs". The last switch isn't really necessary -- but it's good practice.
Now you have to mount that filesystem where the installer wants it so it can put the operating system on there for you:
# mount /dev/gpt/freebsd-root.eli /mnt
And then create two files necessary for the system to boot when you're done -- an /etc/fstab file to tell the system where the filesystem is you created and a loader.conf file so the system knows where to find the root filesystem and to load the encryption driver during the boot process:
In /tmp/bsdinstall_etc/fstab put:
/dev/nvd0p6.eli / ufs rw 1 1
And in /tmp/bsdinstall_boot/loader.conf place:
"vi" is a good choice to do that, assuming you know how to use that editor. "echo" will work too (one line at a time.) So will "ee" (Easy Editor.)
(nvd0p6.eli may be different depending on what you saw above -- if unsure look again with "gpart show | more" and look for the index number of the partition. Note there is no "/dev" prefix and that ".eli" on the end must be present; that's the attached encrypted copy. Without it the system won't boot as it will try to read the unencrypted device and will see garbage.)
Now you need to mount the existing EFI partition on the drive and copy in the FreeBSD loader. The UEFI boot manager you installed earlier will be able to find it automatically, but to do so you must place the FreeBSD loader that knows how to scan for and read encrypted disk partitions in the correct place. The following commands will do that (the "#" is the root prompt), assuming "nvd0p1" is your EFI boot partition on the disk:
# mkdir /tmp/mount
# mount -t msdos /dev/nvd0p1 /tmp/mount
# mkdir /tmp/mount/EFI/FreeBSD
# cp /boot/loader.efi /tmp/mount/EFI/FreeBSD/bootx64.efi
# umount /tmp/mount
# rmdir /tmp/mount
Now you can type "exit" at the "#" prompt and you will be back in the installer with all the "bits" in the right place for it to put the system on the disk for you. Do the other usual things in the installer, including setting up networking and similar.
When you're done let the installer run and finish. When it goes through the normal process and you reboot you should get a boot manager screen with TWO usable options (there will be others as well); one of them should be FreeBSD's "Beastie Head", and selecting that option should immediately prompt you for a password, which is required to unlock and boot the partition you have just set up.
Congratulations; you can then set up X11 if you'd like (e.g. gnome, etc); be aware that the Carbon Gen 6 wants the "scfb" driver declared for X11 to work which is a bit annoying; a file called "driver-scfb.conf" goes in /usr/local/etc/X11/xorg.conf.d once you have xorg loaded and should contain the following to tell it to probe that driver:
Without that Xorg's auto-configuration will not find the Intel graphics and X11 will refuse to start.
Now reboot into Windows and turn Bitlocker back on. Unlike with X220 where I had to do some rather arcane things with the Group Policy Editor to make that work (Bitlocker would otherwise throw up as soon as I booted FreeBSD) so long as you have loaded the UEFI boot manager and the FreeBSD loader into the EFI partition before you do this it should be fine with you switching back and forth between operating systems -- it is on my machine. Expect it to raise hell if you tamper with anything in that EFI partition after Bitlocker has initialized, but once you've set everything up there is no reason to screw with that area of the disk again, and in fact if someone does it's probably good for the system to raise a stink about it. Do be aware that if you use Gnome by default it will try to mount all the partitions it can find when you sign in and will complain a lot if you have the Windows partition encrypted (as expected); the best option there is to turn the automount feature in Gnome off. Be aware that without policy editing Bitlocker is only as secure as your physical machine and the login passwords on it; TPM-2.0 machines will boot a Bitlocker disk without a PIN entry so if your login password is crap or you use the fingerprint sensor the Windows partition is not secure against someone who can guess or spoof either and the very real possibility exists that Microsoft has a way in to such a booted machine via some Redmond-placed back door.
Finally, delete any existing Macrium Reflect backup XML profiles you used for Windows and re-create them. Attempting to use the old ones from before you resized the partitions will not work since you've changed the partition layout; they will appear to run initially but error out during the process. Make a final, new base backup for your Windows side and make sure it verifies, then use the FreeBSD tools of your choice to do so for the Unix side so you're protected there as well.
The only "gotcha" I've noticed is that 802.11ac WiFi isn't recognized but I believe this is still a FreeBSD limitation as of 12-RELEASE. I don't have an external Thunderbolt dock so I have no idea if an external video card will come up, assuming appropriate entries in the x11 configuration files.
Note: The options I specify above in setting up the encryption environment make the basic assumption that the purpose of encryption is to protect against a thief getting access to your data. If your assumption is that you're trying to protect against a determined adversary with nearly-unlimited resource (e.g. a government, a police force, etc) then you have plenty of work to do before choosing those options -- never mind that Bitlocker on Windows is likely not secure against such an adversary at all.