Jens Krämer

Debian Buster on a Thinkpad X270

 |  sysadmin, linux, thinkpad, debian, x270

TL;DR

It just works, except for the Intel WiFi which requires proprietary firmware. Use an ‘unofficial’ image that includes the non-free firmware stuff and you’re all set.

The what and why

I have this fine Notebook for nearly two years now, but so far somehow got along with the pre-installed Windows 10 pro.

First, I tried out this WSL thing, and it just worked. It basically gave me a Debian shell on Windows, which is really neat and doesn’t leave much to be desired if you’re working with tmux and vim 80% of the time anyway. Due to relatively poor filesystem performance (which lead to really poor git performance) at some point I started to use a Debian machine in Virtual Box instead for most things, but somehow still sticked to Windows for reason number two:

The Macbook Air which I used for photo and video processing was getting too cramped for handling both of these tasks. So I had started to use Lightroom on the X270 instead, and since I don’t like to spread out my raw files on external disks, there simply wasn’t enough room left on the 1TB SSD to add a Linux partition of any useful size.

But then, I got an iPad pro and it very quickly became the only device I wanted to do any kind of video or photo processing on. You’re probably not here for reading praise of Apple products, but let me say just this: the display is gorgeous, there’s plenty of processing power, Lumafusion blows iMovie out of the water and Lightroom on iPad, while still limited feature-wise, is getting better with every release. The iPad pro is just the device for doing the kind of video / photo editing I’m doing. In fact, I’m sometimes using it for real work as well, but that’s another blog post actually. Back to Linux on the Thinkpad X270.

UEFI / Dual boot setup

I found this to be a good introduction for how to tackle this whole dual boot / UEFI / Bitlocker situation. Turns out it’s not all that bad, in fact I did not have any problems other than being able to…

Shrink that windows partition

It did not work. I followed any advice out there but got stuck with Windows refusing to shrink the system partition by more than a measly 7.5GB.

If you’re trying to do the same, two things:

  1. Check out this answer on superuser.com which conveniently has power shell commands for everything while most other answers to the problem send you on a click-hunt through Windows’ settings dialogs, some of which still look like straight out of Windows NT.
  2. Good luck!

At some point I gave up, made sure my backups were OK, disabled Bitlocker, and hoped the Debian Installer would do a better job with that.

Booting Buster

I put a Gnome-Live CD Image on a USB stick and fired it up - that worked like a charm, except, uh, no WiFi. Thank you Intel for requiring some non-free firmware blob to make your WiFi chips work.

An ethernet cable came in handy (and of course the fact that this thing has a real ethernet port), but the second time around (see below…) I resorted to an ‘unofficial’ image that includes the non-free firmware stuff.

I was impressed with the whole Gome 3 look and feel. Previously I felt Gnome and KDE were constantly getting in my way to the point that I ran Bunsenlabs with Openbox on my last Thinkpad but this time with Gnome 3 I think it’s fine. Maybe it’s me getting old, maybe it’s really that much better, I don’t know.

First installation attempt

In the left-hand application launcher of the Live CD Desktop is a link to a graphical installer which I promptly used. Language, timezone, keyboard, ah, partitioning. Fancy looking UI, I resized the Windows partition, created a new one for / in the resulting space, entered an encryption passphrase and told it to mount the 260GB UEFI partition to /boot/efi. Next and it started to work on that. I went away from the machine, assuming this would take a while. When I came back few minutes later, damn, the installer window was gone.

What happened? I have no idea, but I restarted the installer, and it looked like the partitioning went well. I continued using the new partition layout as is and couple minutes later I booted Debian from the notebook’s SSD. Even Windows still worked although it complained about some file system problems which were easily fixed by a checkdisk run.

Installing firmware-iwlwifi allowed me to move from crouching in front of the router back to sitting at my desk, and this was that. I set up a fully encrypted Debian along Windows 10 (encrypted as well after re-enabling Bitlocker) in less than an hour.

Problems

Of course, there is always something to complain about, so here we go:

Slow Boot Process due to Encrypted /boot

It bothered me quite a bit that I had to enter the LUKS passphrase before the Grub screen. Not only is it useless in case I want to boot into Windows, it also took ages (as in, more than ten seconds) to unlock the disk. Apparently that is a problem with encrypting /boot and Grub using some low-tech hashing implementations that are much slower than what is available later in Linux land.

It is possible to somewhat fix that by reducing the number of iterations used for the passphrase, but that also reduces the strength of the whole encryption. Also there would still be the general problem of having to enter the LUKS passphrase even when booting into Windows.

Since the merits of encrypting /boot are debatable anyway (someone able to mess with your kernel in /boot can most probably as well mess with your boot loader in the still unencrypted EFI partition) I decided to start over, this time setting up a separate /boot that would stay unencrypted, in the hope this would fix both the slow boot time and the timing when I actually had to enter the LUKS passphrase.

Hibernation / no Swap

Another reason for starting over was that I didn’t create a swap partition the first time, totally forgetting that hibernation usually depends on that. While it appears to be possible to hibernate to a swap file, that seemed to be a bit more manual setup work than I was willing to invest here for something that would (hopefully) just work if only I had a swap partition.

Second Attempt

In the meantime I had learned that this particular setup with the encrypted boot is the result of using the Gnome based Calamares installer that I used. Second time around I decided to use the graphical installer offered in the boot menu of the live CD image.

I created two partitions, one for /boot and one to be encrypted which would then serve as a physical volume for LVM. On top of that, one logical volume for swap, and one for the root partition holding the system itself. Since this is just a personal development environment I didn’t bother with setting up separate volumes for /home etc.

In theory, one could layer the encryption on top of LVM instead, but that would lead to separate decryption prompts for each partition at boot time which I wanted to avoid. There are ways to work around that (essentially by unlocking one partition and getting the keys for the other(s) from that), but why make things more complicated than necessary.

The Verdict

Everything works like a charm, including fancy things like all the thinkpad specific Fn key combinations for volume, screen brightness, think light and keyboard illumination.

Really the only difficult thing was figuring out how to get the WiFi firmware blob, everything else was standard Debian installation procedure. This is the third Thinkpad I’m installing Debian or one of it’s derivatives on, and while I always managed to make everything work as intended, it’s been a much more pleasant experience this time around.