This private key is also used to sign the boot files on my computer. When re-flashing my Heads install, I answered some of the prompts without fully comprehending my actions and accidentally wiped my private key.

I no longer have access to it and needed to generate a new one. This new key is signed by an older key, which is known to several of my contacts. It is also signed using my Qubes Documentation Signing Key, which in turn was previously signed by the lost key.

I never got around to finish the draft, but others have continued and build upon it. See this thread.

About a year ago I promised in a Qubes OS Forum thread to write a guide on how to automate debian-minimal based template creation. Today I publish a first rough and incomplete draft, that nevertheless should be useful.

I will keep fleshing it out. Please post all feedback, question or corrections you have into this thread and I will answer there and update the guide as we go along.

Since Qubes OS R4.0.3 no workarounds or troubleshooting are required anymore and the ThinkPad P51 is now listed as one of the community-recommended computers.

With significant help from members of the qubes-users mailing list, I was able to install Qubes OS R3.2 on my new ThinkPad P51 (model 20HJS0BX00). The starting point was the Qubes OS Hardware Compatibility List linking to swami’s post on qubes-users, which describes or links all the steps below except for the use of the USB-to-Ethernet adapter to run the initial update.

A little twist that distinguishes my ThinkPad from his is that my networking hardware requires kernel version 4.9 to run, while after the install Qubes OS runs version 4.4. Therefore some extra steps and hardware are required to run the initial update to kernel 4.9 to make everything work:

• another computer running Fedora or Qubes OS with a Fedora qube (to create the USB sticks)
• Qubes installer USB stick prepared using Fedora’s livecd-tools
• rEFInd live USB stick
• Linux-friendly Ethernet-to-USB adapter (e.g. the one from Apple)

Create Qubes installer USB stick

This step was described by Dave C.’s post with additional important input from Stephan Marwedel.

1. Get the ISO, signature and signing key from the Qubes OS Download page.
2. Follow the instructions on digital signatures and key verification.
3. Install the ‘livecd-tools’ package.
4. Run sudo livecd-iso-to-disk --efi --format Qubes-R3.2-x86_64.iso /dev/sda (assuming /dev/sda is the USB stick).
5. Mount the newly created USB stick and edit /EFI/BOOT/xen.cfg. In this file, replace every occurrence of ‘LABEL=Qubes-R3.2-x86_64’ with ‘LABEL=BOOT’.
6. Unmount and run sudo dosfslabel /dev/sda BOOT (assuming /dev/sda is the USB stick).

Create rEFInd live USB stick

1. Download the USB flash drive image from Roderick W. Smith’s rEFInd Boot Manager page.
2. Run sudo dd if=refind-flashdrive-0.11.2.img of=/dev/sda bs=1M (assuming /dev/sda is the USB stick).

BIOS settings

• boot in UEFI mode (not legacy)
• disable secure boot
• set graphics to discrete
• enable all virtualization features including VT-d

Install Qubes

1. Boot the ThinkPad with the Qubes installer USB stick and run through the normal setup routine.
2. When it is time to reboot, remove the Qubes installer USB stick and insert the rEFInd live USB instead.
3. Once in the rEFInd boot manager, select the /EFI/BOOT/xen.cfg entry to boot.
4. On the Qubes OS configuration screen, do not create the sys-usb qube yet!
5. Finish configuration and log into Qubes OS.

Using USB-to-Ethernet adapter to run initial update

Both Taiidan and an earlier comment from Yethal helped me figure out this sequence:

1. connect the USB-to-Ethernet adapter and shutdown all qubes
2. in dom0 run qvm-prefs -s sys-net pci_strictreset false
3. add your USB controller to sys-net using the qubes manager
4. start sys-net and sys-firewall - you should now be online!
5. update the fedora-23 template
6. update dom0
7. reboot with rEFInd USB stick
8. use uname -r to make sure you are running kernel 4.9 in both dom0 and sys-net. In my case sys-net was now running kernel 4.9 but dom0 was still on 4.4. It took the extra step of running sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm --best --allowerasing to upgrade dom0 to kernel 4.9.
9. shutdown all qubes and remove the USB controller from sys-net
10. in dom0 run qvm-prefs -s sys-net pci_strictreset true
11. reboot with rEFInd USB stick

Fix EFI boot configuration

For some reason the EFI entry generated by the Qubes installer doesn’t work, which is why we had to use the rEFInd live USB stick until now to boot the machine. This can be fixed, by downloading the following packets via rpmfind.net:

• efibootmgr-15-1.fc26.x86_64.rpm
• efivar-31-1.fc26.x86_64.rpm
• efivar-libs-31-1.fc26.x86_64.rpm

Obviously those packets are not signed by the Qubes OS team and represent a security risk. Unfortunately the version of efibootmgr delivered with Qubes OS doesn’t fix the issue (it might actually be the cause of it). So you have to decide whether you want to keep booting with the rEFInd live USB stick or if you take the risk of installing those packets in dom0.

1. copy the files to dom0 and install them via sudo dnf install efibootmgr-15-1.fc26.x86_64.rpm efivar-31-1.fc26.x86_64.rpm efivar-libs-31-1.fc26.x86_64.rpm.
2. delete the old entry via sudo efibootmgr -b 0000 -B
3. create a new entry via sudo efibootmgr -v -c -u -L Qubes -l /EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1
4. reboot without the rEFInd live USB stick

Done!

Now the ThinkPad boots straight into Qubes OS R3.2 and all the hardware should work. During the installation we skipped creating sys-usb, which one might want to enable now that everything works. After successfully upgrading to kernel 4.9 one may switch the graphics BIOS setting back to hybrid. Finally I’d like to thank Unman and Rory for their help with approaches that ultimately didn’t work out but were definitely worth pursuing.