Installing Qubes in a Chromebook?

I’m curious: is there any step particularly different about installing Qubes OS in a chromebook? If it’s just as “easy” these could start being some go-to recommendations for new users.

1 Like

In my opinion the setup is pretty easy. All you have todo is go to
MrChromebox.tech website

search for a device that uses "screw or jumper " as WP Method (Write Protection Method for the BIOS Chip) Why is this important ? From what i know, the CR50 Chromebooks use a Security Chip from Google some mixture of TPM and Management Engine. So i try to avoid these.

And lookout for the “UEFI Firmware (Full Rom)” option. This means the flashing coreboot process turns your chromebook completly into a coreboot Laptop (Chrome OS will not work after the process)

When you have some models that fit your needs, head over to the Gallium OS (a xubuntu version that is tweaked for chromebooks ) wiki and look up if your laptop is well supportet it is kind of gambling because it depends on some things like your kernel for example. But i would recommend some research on reddit etc to find infos about your chromebook model.

Since this model uses coreboot with tianocore as payload, it is pretty straight forward.

Open Case, pull out the hardware protection screw
Boot Chromebook in recovery mode
Enable developer option
Boot up into guest mode
Open Shell
wget a script from Mr Chromebox techs website
Follow the script and use “complete alternative firmware”
Wait for it to finish
Reboot and you will see the coreboot rabbit
Press ESC
and boot up the Qubes OS installer

Lowering the Memory/CPU option in Qubes Manager for your AppVMs is good idea.

Testet with disposable sys-net/sys-usb and whonix.

Again its best for surfing, reading ebooks, some youtube or writting. I thought thats a good option for journalists. Since this Chromebook C740 is pretty lightweight, small and has a relatively long battery life

2 Likes

I could make a tutorial if anyone is interested. Maybe then i have a reason to buy the Acer Chromebox ^^

1 Like

Thanks so much for the explanation. So it seems a bit involved for a non-technical user but if someone managed to do the installation for the user then the perks should be pretty nice. Among other things, the relatively reduced price and portability.

If you have the bandwidth for that I think it could pave way for some more potentially affordable / lightweight Qubes setups :slight_smile:.

Indeed! :smiley: (related Qubes for at-risk populations)

1 Like

I was thinking about an Alpine Linux template VM ? This would bring a whole new life to the Chromebook coreboot Qubes thing.

2 Likes

A Qubes “Light” edition. Perhaps the minimal templates compare to Alpine?

1 Like

I will test and report over this weekend :slight_smile:

1 Like

An Alpine Linux template would be wonderful. Please ping me if you ever get one working

1 Like

I’m not sure the protection extends to non-CrOS installations.

My understanding is the screw (available on older models only) protects the CrOS firmware, but when you remove the screw to install another OS, this protection vanishes; possibly forever.

However I’d love for this to not be the case, so please let me know if you have evidence to the contrary.

 


Not technically trained; consume advice with salt.

@deeplow Not sure if this should go in the split thread or stay here, since what I’m replying to is here.

1 Like

Yep , sad but true.

I played around with flashrom on a fedora clean install and flashrom can’t read the chip but only due to an “booting up state” ME. Some regions should be writable but that is definitely beyond my knowledge. Tinkering with flashlayout regions.

With an external programer like the Ch341a i could read/write the bios. With and Without the screw. But thats in my opinion dispensable because if someone has the time to open up the bottom with ~12? screws and use a hardware programmer then the last WP screw will be no problem.

I will correct that. Thanks for clarifying that

1 Like

Nonetheless, a “how to install on chromebook” could be interesting as a separate thread. Since this is the HCL Reports thread. Or do you disagree? Yes its sad that the write protection will not work after flashing coreboot, but there are other good points for using a chromebook.

I don’t disagree–there’s just one less point for installing Qubes on Chromebooks.

The pre-installed Coreboot is still a very big argument for it, though. I have yet to confirm that ME is removed, but Coreboot is definitely installed on all recent Chromebooks. Does Coreboot imply that ME is removed? Since ME is a separate OS, I’m not sure.


Not technically trained; consume advice with salt

You should look up the me cleaner project. As of my understanding, they analyze the ME firmware and start to delete different regions of the ME partition layout. So its still there but in a crippled state. So its not fully functional.

In my opinion every step towards open source and more user controlled hardware is the right step. Not a chromebook fanboy and i don’t say that this is the future but what are the alternatives ? HP with a completly HP controlled shure start protected bios ? Lenovo with China Bios ? Or Dell (we all know the best friend of dell) ?

You can compile Coreboot with the option to “clean” the intel me region from my understanding they rely also on the me_cleaner project.

I understand, but what I’m getting at is this: I haven’t seen any indication that installation of Coreboot entails deactivation of ME. Yes, there’s an ME Cleaner out there (though for a limited range of processors, if my memory serves me well), but this doesn’t answer the question of whether Chromebooks have an active ME.

Does Coreboot’s presence entail ME’s absence?

I’m a bit troubled by Google’s privacy issues, but I have a high opinion of CrOS, especially its secure boot feature.

I’m sorry but i guess i don’t understand your question. Do you mean “if coreboot is flashed will the ME removed per default?” ?

I don’t think so. The ME is Hardware integrated that checks the CPU state with a signed key. I guess even Google can’t change that.

Ok i will try it again ^^

If you compile coreboot yourself, the me_cleaner script can be applied as an option.

Neutralizing the ME
A collaborative effort to neutralize the ME has found some success, see here. This tool has been included in coreboot and can be enabled with the option “Strip down the Intel ME/TXE firmware” (CONFIG_USE_ME_CLEANER).
This can free up most of the space used by ME, allowing you to use a larger CBFS. See here.

The me_cleaner script depends on the ME Firmware version not CPU specific. Just FYI :slight_smile:

I guess they have. But the only way to find that out is to dump the original Chromebook firmware and look for an ME region. But since the ME is integrated in nearly any Intel CPU i would bet its present also on regular chromebooks with CrOS.

1 Like

I might have conflated disabling with removing.

It might be true that Google disables ME (but doesn’t remove it), but I have yet to see documentation that shows this. This is why I also find your quoted point less-than-accurate.

Edit: I meant to say that it’s not clear whether Google disables ME. One surefire way to confirm this is if Coreboot installation wipes/disables ME, which is why I’ve been repeating this point. Sorry for the lack of clarity.

I could make a tutorial if anyone is interested. Maybe then i have a
reason to buy the Acer Chromebox ^^

I think being able to disable ME and run Coreboot would be particularly
interesting with some of the high end Chromebooks all with 16 GB RAM, at
least 256 GB SSD and most critically CPUs that support Vt-d:

  • Google Pixelbook Go (i7-8500Y)
  • HP Elite c1030 (i7-10610U)
  • Asus Flip C436 (i5-10210U)

IF these can be made fully user-controlled they could be the solution

1 Like

I know I am still owing that (series) of blog posts on debian-minimal
based qubes. As soon as I have slayed a professional dragon I wrangle
with currently I will write it – promise.

My point: we already have an ultra light-weight approach:
debian-minimal! My Qubes system is fully functional doing probably a lot
more than the average install but most of my sys-vm’s for example clock
in at less than 200 MB. sys-net at 250 MB and sys-usb at 300 MB (to make
the camera work).

The average app qube comes in at 400 MB. The only “monster” I couldn’t
tame yet is firefox-esr which needs at least 1.5G if you have multiple
tabs open with some JavaScript enabled. Not sure this can be improved much.

1 Like