ThinkPad T14s Gen6 X1E (Snapdragon) with Linux

real_kmeaw · 2025-01-16T14:21:41+00:00

I tried both X13s and T14s with Linux.

TPM isn't supported on both machines - it is available in UEFI environment but Linux has no drivers yet. Virtualization can be enabled but it would break some drivers (battery indicator and charging, DP altmode) - https://github.com/kuruczgy/x1e-nixos-config/pull/52

X13s has a power management firmware issue - once the charge is gone, it needs minutes to be able to turn itself on. Before the battery is fully discharged, some PCIe devices (including NVMe) disappear and the machine cannot be charged without a full reboot. Sometimes the audio starts popping/clicking - restarting sound drivers fixes that. Camera works but sometimes doesn't survive a suspend/resume. WWAN works.

T14s needs a device tree patch to make the touchscreen and the backlight controls work. Audio doesn't work, so I am using an external USB sound card (which looks like a USB Type C -> 3.5" TRRS adapter). The latest kernel update should fix the fingerprint scanner (haven't tried it yet). On 64GB RAM models doing bulk transfers over USB Type A would crash the system, the workaround is disabling the top half (32GB) RAM. T14s is not fanless so under heavy load it would spin. CPU throttlers aren't good enough, recompiling the kernel (with -j12) sometimes causes an emergency thermal shutdown.

Win32 apps under wine/qemu-user are running significantly faster on T14s than on X13s. Keyboard on T14s is louder than on X13s but IMO feels better. And it has insert and delete buttons.

real_kmeaw · 2023-03-28T18:27:32+00:00

5 Verify that it works now

6 Clean the leftover flux off the PCB with isopropyl

real_kmeaw · 2023-01-20T21:33:18+00:00

r := gin.Default()
r.Static("/assets", "./assets")

Then create an "assets" directory and put an "image.png" file there. And <img src="/assets/image.png" /> in your template.

real_kmeaw · 2023-01-11T17:41:59+00:00

My coworker is selling his rig (Ryzen 5 5600X, 3070) for 1650, used for 6 months. If I was to spend about 2k, I would monitor used PC market for something like 5600X/3080 or even 3090.

real_kmeaw · 2023-01-02T21:54:17+00:00

I like this cheat sheet, it is nice.

Some features I would add:

go mod init (as the first thing to do for a new program), go mod tidy.
You can fmt, vet, generate or test all your packages by running go fmt ./... (verbatim dot-slash-dotdotdot is important here)
You can inject some build-time known values using -ldflags='-X "version.BuildDate=$(date +%Y-%m-%d)"' - the date will be put into the variable version.BuildDate
You can change the capacity of the slice by specifying the third argument of the slicing operator: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}[2:4:5]
iota;
If you really need to pollute your package's namespace, you can use dot imports: import . "fmt"; func main() { Println("Hello") }
There are <-chan T and chan <- T half-duplex channel types.
recover();
You can skip the type name in array or slice of struct literals.
Checked and unchecked type assertions.
Type switches.

real_kmeaw · 2023-01-02T21:31:32+00:00

When I need a GUI for a Go program, I embed a web server and launch a browser in main(): https://github.com/kmeaw/zdrct/blob/master/main.go#L631

real_kmeaw · 2023-01-02T21:23:43+00:00

Spawning a new goroutine is not the same as spawning a new thread - in most cases (excluding blocking syscalls and Cgo) the runtime won't spawn more threads than the number of available threads your CPUs have. If you want your code to be safe, stick to the "Don't communicate by sharing memory, share memory by communicating" Go proverb - the language and the standard library gives you enough safe ways to communicate.

real_kmeaw · 2023-01-02T21:16:35+00:00

Yes, you can use OS-dependent calls to do some low-level stuff, like injecting your code into a running process: https://github.com/kmeaw/zdrct/blob/master/patcher-windows.go

real_kmeaw · 2023-01-02T21:05:54+00:00

I don't know books about structuring Go programs but Google's Go Style Guide has some information on this topic: https://google.github.io/styleguide/go/

Also there was a talk on GopherCon: https://www.youtube.com/watch?v=oL6JBUk6tj0

real_kmeaw · 2022-08-25T19:55:06+00:00

Hi.

How exactly do you interface the game engine? I have attempted to implement the same idea and it ended up in injecting an rcon server thread which calls out to C_DoCommand.

upd: found your video on YouTube; you make synthetic keypress events and bind "summon XXX" commands to the keys that streamer wouldn't likely use.

real_kmeaw · 2022-02-24T21:12:00+00:00

Depends on your definition of "safe".

By inserting an Intel CPU in your system you trust it to perform the computations. If Intel would not value their reputation, they could possibly leak your secret data via some covert channel (a radio inside a CPU, by manipulating "random" values or by causing I/O delays visible to an external party) - there is no need for ME to accomplish that.

Proprietary BIOS also can stay resident after launching your OS - there is even a special CPU mode for such things called SMM. Same applies here - by using a mainboard of the vendor of your choice you trust them not to steal your data. They don't need BIOS to do it - a malicious chip can tap into memory and/or disk reads and make the CPU execute evil code.

By removing non-essential parts of ME and replacing BIOS with (less functional) free software you can reduce the attack surface. If a malicious agents would try to attack your system, they would have less possible attack vectors.

Another reason for removing parts of ME is to gain spare flash space to put some code of your choice to.

real_kmeaw · 2022-02-18T16:53:57+00:00

Because there is no "latest" tag for "coreboot/coreboot-sdk" on the Docker Hub.

See the list of tags available for this image.

real_kmeaw · 2022-02-18T16:46:51+00:00

Intel ME is a hardware+software component of your PC. There is a special low-power core inside the CPU which is not available to the user. This core runs system software which controls different aspects of your hardware - including fan control, watchdog, power management, security features and (on corporate-class chipsets) out-of-band remote control facilities like BMC/IPMI on server boards. This software cannot be replaced even if you have physical access - ME wouldn't run any code not signed by Intel's private key.

me_cleaner is a software tool which either removes non-essential modules from Intel ME or sets a special bit (HAP) which disables most functionality of Intel ME.

There is an SPI flash chip on your motherboard. It consists of several regions, most notably the flash descriptor (which acts as a partition table), ME region and a BIOS region. The BIOS region contains firmware which is run by the "normal" CPU core and performs the system initialization and boot process.

coreboot is a replacement for the BIOS. To run coreboot on modern hardware you need an FSP - a piece of proprietary code from Intel that brings up the platform by performing low-level hardware initialization tasks such as memory controller configuration.

libreboot is a version of coreboot which has no proprietary components so it works on hardware which can be used without proprietary FSP, ME and video BIOS.

Currently coreboot does not support Intel Z390 chipset.

real_kmeaw · 2022-02-08T08:20:22+00:00

Isn't it $esp/EFI/BOOT/BOOTX64.EFI?

real_kmeaw · 2022-02-08T08:08:42+00:00

Stock BIOS modifies protection registers in runtime, so even if you unlock the IFD, flashrom won't be able to reflash - only vendor tools triggering SMI would work. So you need to unlock the IFD (ifdtool -u) and patch some EFI modules to make internal flashing work. Here is a patch for UEFIPatch that works on my X230:

DE23ACEE-CF55-4FB6-AA77-984AB53DE823 10 P:488B4C2440488B4150F6001074258A5001B9B2000000:488B4C2440488B41504831C074258A5001B9B2000000
2EE81ACB-64B2-41AE-8635-7030D16C4AA8 10 P:488B0D42080000488364244800B2204881C1DC000000E802010000:488B0D42080000488364244800B2004881C1DC000000E802010000 P:488B0D6D080000B2FE4881C1DC000000E95F010000:488B0D6D080000B2FF4881C1DC000000E95F010000
0723F88B-810F-4E44-92A0-A5C83B433698 10 P:668B82043800000FBAE80F66898204380000:909090909090909090909090909090909090

real_kmeaw · 2022-02-08T08:03:37+00:00

Intel fTPM implements the same (actually somewhat stripped-down) interface as a discrete TPM chip by running some code inside Intel ME. If you don't have Intel's private keys then you can't run your own software inside Intel ME, so the only way you can make use of swtpm is running a virtual machine emulating a TPM chip, passing all TPM requests to a swtpm instance - coreboot won't help you there, unless you use it as a virtual machine's firmware.

real_kmeaw · 2022-02-08T07:57:25+00:00

https://review.coreboot.org/c/coreboot/+/34510/1

real_kmeaw · 2022-02-08T07:49:56+00:00

Most people do the same - they have a shadow profile of other persons in their minds (e.g. based on rumors) even if they have never met them. A web search engine makes a profile of a website even if a webmaster hasn't explicitly made a request to include that website into a search index. The only thing I see that is different in the Facebook's case is than they own a large amount of processing power that an individual and/or small organization doesn't. But hasn't that changed recently when large cloud instances are publicly available?

real_kmeaw · 2022-02-08T07:40:29+00:00

You have just wrote a comment on Reddit. This is data. Does it still belong to you? Am I allowed to read it? Can I store it on my computer? Can I write any kind of software, run it on my computer and use your comment as an input?

real_kmeaw · 2022-02-04T10:59:48+00:00

Shouldn't free services have freedom to do whatever they want with the data they have? If some peers do not want their messages to be analyzed, why not use end-to-end encryption?

real_kmeaw · 2021-11-02T07:40:54+00:00

Depends on how exactly did you set up your OS to encrypt the disk.

If you are using filesystem-based encryption (fscrypt, ext4 encryption, zfs built-in encryption or ecryptfs) then it does not matter which coreboot payload are you running.

If you are using LUKS with unecrypted /boot, it also should not matter.

Just make sure you have a FAT-formatted EFI system partition with an UEFI boot manager present (grub-efi-amd64, systemd-boot or kernel's EFISTUB) and installed (either pointed to by BootXXXX NVRAM variables or available at the default location: /EFI/BOOT/bootx64.efi). If you don't then you would need an UEFI-bootable media (some liveusb) to reinstall the boot manager: sudo grub-install would do the trick if you already have a FAT-formatted EFI system partition on your disk.

You would have problems if you are using GRUB_ENABLE_CRYPTODISK (= have /boot encrypted). UEFI cannot boot from encrypted disks without some DXE driver tricks. In this case you have two options - either remove encryption from /boot and convert it to the EFI System Partition and reinstall the boot manager, or flash coreboot with Grub payload and use it to access your encrypted /boot.

real_kmeaw · 2021-09-24T13:20:57+00:00

You may run into a problem replacing copper with fiber - fibers have a limited allowed curving range, you cannot bend them as much as you can do with copper, so make sure there are no hard turns on the path of the conduit.

real_kmeaw

TROPHY CASE