Install ARCH Linux on ThinkPad X1 Carbon Gen 7 with encrypted filesystem and UEFI

In this article we will be installing Arch Linux on ThinkPad X1 Carbon Gen 7 Laptop. This tutorial contains installation instructions, basic configuration as well as some post-install tuning of Arch Linux to get you started.

Most of the instructions are Arch Linux installation generic hence with a simple modifications this tutorial can be used for any UEFI system installations. However, some points are specific to ThinkPad X1 Carbon Gen 7 therefore basic Linux Administration skills are required in case you are installing Arch Linux PC/Laptop other then ThinkPad X1 Carbon Gen 7.

PLEASE NOTE
This guide will only get you started. If you have some additional tips and tricks on how to improve performance please use the comments below so we can incorporate them into this guide.
Thank you.

After completing this tutorial you will end up with:

  • Installed Arch Linux with GNOME desktop
  • Encrypted / directory using luks encryption
  • Configured Linux boot loader using systemd-boot
  • Created Logical Volumes and partitions to host your swap and / directory
  • Configured EFI parition for your /boot directory
  • Basic System configuration and fine-tuning
  • Ability to use wireless to connect to your WiFi from GNOME desktop
  • Functioning Bluetooth and Thunderbolt controller
  • Ability up upgrade a firmware on your ThinkPad X1 Carbon Gen 7

ARCH Linux on ThinkPad X1 Carbon Gen 7  Laptop

ARCH Linux on ThinkPad X1 Carbon Gen 7 Laptop

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Arch Linux
Software N/A
Other Access to WiFi connection. Privileged access to any Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Install ARCH Linux on ThinkPad X1 Carbon Gen 7 step by step instructions



  1. Just to avoid any confusion the following BIOS settings are assumed and/or recommended:
    BIOS Secure Boot disabled

    BIOS Secure Boot disabled
    Kernel DMA Protection disabled. This is required in order to disable Thunderbolt BIOS assist mode.

    Kernel DMA Protection disabled. This is required in order to disable Thunderbolt BIOS assist mode.


    Thunderbolt BIOS Assist mode disabled. This is required for firmware upgrade.

    Thunderbolt BIOS Assist Mode disabled. This is required for thunderbolt controller firmware upgrades
    To make sure that you are on the same page with this tutorial set the Boot method to UEFI Only

    To make sure that you are on the same page with this tutorial set the Boot method to UEFI Only


    Optional I/O Port Access configuration

    Optional I/O Port Access configuration
    Sleep State set to Linux

    Sleep State set to Linux


  2. Next step is to create a bootable Arch Linux USB. Download the official Arch ISO, plug in any USB flash drive and execute the following command given that the /dev/sdX is a block device name of your USB flash drive:
    # ddrescue archlinux-XXXX.XX.XX-x86_64.iso /dev/sdX --force -D
    
  3. Once you have the Arch Linux USB flash drive created plug it into your ThinkPad X1 Carbon, turn the Laptop ON and press F12. The boot menu will pop-up. From there select the first option of UEFI CD.
  4. If everything went smoothly, now you should be presented with the Arch Linux command prompt and logged in as a root user. The first thing we need is to get access to the Internet. Enter command:
    # wifi-menu
    

    Follow the wizard by entering SSID of your wireless network and appropriate driver. This might take few seconds but when successful confirm that you have access to the Internet be executing the ping command:

    $ ping -c 1 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=9.81 ms
    
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 9.810/9.810/9.810/0.000 ms
    


    We will use the internet connection to download and install base packages for our new Arch Linux system.

  5. Next, we are going to partition hard drive. We will create 2 partitions. First partition will be used as EFI end eventually mounted as /boot. The second partition will be used to create Logical Volumes for / and swap partitions. Execute the following cfdisk command or use any other partitioning tool you are familiar with:

    WARNING
    Executing the bellow command will essentially wipe out any filesystems and data on your hard drive with no way for return. Make sure you are sure what your are doing.
    # cfdisk -z /dev/nvme0n1
    
    Paritioning SSD drive. This will remove any partitions and data. make sure your know what you are doing.

    Paritioning SSD drive. This will remove any partitions and data. make sure your know what you are doing.


    Select GPT label type

    Select GPT label type.
    partitioning disk for arch with EFI

    Create both partitions as shown by this screenshot. Ensure to also select an appropriate file-system type. The EFI partition size should be somewhere between 300 – 500MB. Just to give you an idea, this installation will consume approximately 69MB of disk space so make sure that you have some space to move around. Once ready, write the changes and exit.

    Next, step is to format the EFI partition:

    # mkfs.vfat -F32 -n EFI /dev/nvme0n1p1
    

    Futhemore, we need to create, encrypt and format the second partition:

    # cryptsetup --use-random luksFormat /dev/nvme0n1p2
    


    Next, map the device as luks. We will use this mapped device name to create logical volumes in the next step:

    # cryptsetup luksOpen /dev/nvme0n1p2 luks
    
    Format and encrypt partitions

    Format and encrypt partitions
  6. Now we are ready to create logical partitions for our root file system and swap partition.The following commands will do just that. Feel free to change the size of the swap partition to fit your needs:
    # pvcreate /dev/mapper/luks
    # vgcreate vol_grp /dev/mapper/luks
    # lvcreate --size 8G vol_grp --name swap
    # lvcreate -l +100%FREE vol_grp --name root
    

    Optionally, use lvdisplay command to show all logical volumes.

    Creating Logical volumes with LVM

    Creating Logical volumes with LVM

    Lastly, in this step format the new root and swap partition:



    # mkfs.ext4 -L root /dev/mapper/vol_grp-root
    # mkswap /dev/mapper/vol_grp-swap
    
    Format new partitions

    Format new partitions
  7. We are almost ready to install the base system packages. But, first let’s mount all required partitions including the swap partition:

    # mount /dev/mapper/vol_grp-root /mnt 
    # swapon /dev/mapper/vol_grp-swap 
    # mkdir /mnt/boot
    # mount /dev/nvme0n1p1 /mnt/boot
    
    Prepare for chroot by mounting all system partitions

    Prepare for chroot by mounting all system partitions


  8. Now, we are ready to install base packages of our new system.Whether it is KDE desktop or some other display manager all can be installed later. The below command will install recommended packages. In case there is something you wish to add or remove, I suggest you to do so after you reboot to your new system. For now keep it simple!. Before you hit the below command you may want to optionally edit the /etc/pacman.d/mirrorlist file and place you preferred mirror on the top of the list for a faster download:
    Avoid to get stuck with no internet connection after reboot!
    The below package list will allow you to connect to WiFi via GNOME GUI using the systemd network manager. The ThinkPad X1 Carbon Gen 7 does not have wired network card so when you make any modifications to the below package list make sure you are able to get connected after reboot.
    # pacstrap /mnt gnome gnome-extra xorg base base-devel linux linux-firmware lvm2 dhcpcd efibootmgr intel-ucode xf86-video-intel vi dhclient
    
  9. Now is time to generate new /etc/fstab:

    # genfstab -U /mnt >> /mnt/etc/fstab
    

    The resulting /etc/fstab should look similar to the one shown below:

    Newly generated /etc/fstab for a new Arch Linux installation

    Newly generated /etc/fstab for a new Arch Linux installation
  10. Once the system installation is over use the arch-chroot command to enter your new system
    # arch-chroot /mnt
    

    and perform some configurations. First, disable Wayland. Wayland is intended as a simpler replacement for Xorg however, at this point it may be quite far away from there. If you wish to use Wayland feel free to skip this point or change the setting back after you reboot to your new system. Open up the /etc/gdm/custom.conf and uncomment the line WaylandEnable=false:

    Disable Wayland

    Disable Wayland

    Next, change the timezone and set system time to hardware clock. List the /usr/share/zoneinfo/ if unsure how to change the below command to fit your timezone:

    # ln -s /usr/share/zoneinfo/Australia/Sydney /etc/localtime
    # hwclock --systohc --utc
    

    Set a new hostname for your system. For example lets set it to x1-carbon:

    # hostnamectl set-hostname x1-carbon
    # echo x1-carbon > /etc/hostname
    


    Moving on, generate locales. Visit the /etc/locale.gen and uncomment the line(s) fitting your locale. For example for Australia we uncomment line en_AU.UTF-8 UTF-8 . When ready, generate and set the locales with:

    # locale-gen
    # echo LANG=en_AU.UTF-8 > /etc/locale.conf
    # export LANG=en_AU.UTF-8
    

    Set a new root password:

    # passwd 
    New password: 
    Retype new password: 
    passwd: password updated successfully
    

    Create a new user. The bellow commands will create a new use eg. lubos and set a new password for this user:

    # groupadd lubos
    # useradd -m -g lubos -G wheel,storage,power,network,uucp lubos
    set password:
    # passwd lubos
    

    One of the most important steps is to create the initial ramdisk environment. Edit the /etc/mkinitcpio.conf so the resulting file will have the following content. Please make sure to keep the order of the HOOKS as shown below:

    MODULES=(ext4)
    BINARIES=()
    FILES=()
    HOOKS=(base udev autodetect modconf block encrypt lvm2 resume filesystems keyboard fsck)
    


    When you are happy with he content of the /etc/mkinitcpio.conf execute:

    # mkinitcpio -p linux
    
    Initial ramdisk environment configuration

    Initial ramdisk environment configuration

    To create the initial ramdisk environment. Next, install system-boot into your /boot partition:

     
    # bootctl --path=/boot install
    
    system-boot installation

    system-boot installation

    Perform some boot loader settings:

    # echo default archlinux >> /boot/loader/loader.conf
    # echo timeout 4 >> /boot/loader/loader.conf
    

    Almost there. Use the blkid command to retrieve the UUID of your /dev/nvme0n1p2.

    Retrieve partition UUID

    Retrieve partition UUID.

    Create file called /boot/loader/entries/archlinux.conf and enter the following content while replacing the YOUR-UUID-HERE with the one retrieved previously using the blkid command:

    title Arch Linux
    linux /vmlinuz-linux
    initrd /intel-ucode.img
    initrd /initramfs-linux.img
    options cryptdevice=UUID="YOUR-UUID-HERE":vol_grp root=/dev/mapper/vol_grp-root resume=/dev/mapper/vol_grp-swap rw intel_pstate=no_hwp
    


    Complete archlinux.conf boot loader file example

    Complete archlinux.conf boot loader file example

    As a last step enable the following two services to start after the reboot:

    # systemctl enable gdm
    # systemctl enable NetworkManager
    
  11. All should be ready for reboot. Exit the chroot system, unmount the root partition and reboot:

    # exit
    # umount -R /mnt
    # reboot
    
    Arch Linux GNOME desktop

    Arch Linux GNOME desktop


  12. Install and enable the throttled package. throttled is a workaround for Intel throttling issues in Linux.
    # pacman -S throttled
    # systemctl enable --now lenovo_fix.service
    
  13. Configure bluetooth support:
    # pacman -S gnome-control-center gnome-bluetooth
    # systemctl enable --now bluetooth
    
    Enabled Bluetooth support

    Enabled Bluetooth support


  14. User notes, observations & Troubleshooting

    For microphone and any other further readings in regards to more deep configuration and tuning of the Lenovo ThinkPad X1 Carbon Gen 7 can be found on the official Arch Linux wiki page .

    Firmware upgrades

    Since the Lenovo joined the The Linux Vendor Firmware Service, it is now possible to upgrade some of the Lenovo hardware firmware directly from Linux command line. To do so forst install the fwupd package:

    # pacman -S fwupd
    

    To upgrade the firmware execute:

    WARNING
    Please note that upgrading the firmware always comes with unexpected risks! If unsure you are better NOT to proceed!
    $ fwupdmgr refresh
    $ fwupdmgr get-updates
    $ fwupdmgr update
    

    Example of upgrading thunderbolt controller on ThinkPad X1 Carbon Gen 7 using the fwupdmgr:

    $ fwupdmgr get-updates
    20QDCTO1WW
    │
    └─ThinkPad X1 Yoga 4th / Carbon 7th Thunderbolt Controller:
      │   Device ID:           f388b1939351229f5cd3016ff13b2df354e9d38e
      │   Summary:             Unmatched performance for high-speed I/O
      │   Current version:     41.00
      │   Vendor:              Lenovo (TBT:0x0109)
      │   Flags:               internal|updatable|require-ac|supported|registered
      │   GUID:                c7920601-0cda-507f-851e-92129eb1d470
      │ 
      └─ThinkPad X1 Carbon 7th / X1 Yoga 4th Thunderbolt Controller:
            New version:       43.00
            Remote ID:         lvfs
            Summary:           Lenovo ThinkPad X1 Carbon 7th / X1 Yoga 4th Thunderbolt Firmware
            License:           proprietary
            Size:              262.1 kB
            Vendor:            Lenovo Ltd.
            Flags:             is-upgrade
            Description:       Lenovo ThinkPad X1 Carbon 7th / X1 Yoga 4th Thunderbolt Firmware
            
             • Before update, set the Thunderbolt BIOS Assist Mode to "Disable" in BIOS setup under Config > Thunderbolt 3.
             • DO NOT FORCE UPDATE Thunderbolt Controller. This may damage the firmware.
    

    From the output above we can see that the Thunderbolt Controller firmware upgrade from version 41 to 43 is available. The Thunderbolt Controller will restart/disconnect after update so if you have anything connected to this port it would be wise to disconnect it.

    To perform the actual Thunderbolt Firmware upgrade execute:

    # fwupdmgr update
    Downloading 43.00 for ThinkPad X1 Yoga 4th / Carbon 7th Thunderbolt Controller...
    Fetching firmware https://fwupd.org/downloads/c656c45c56fe417ac38dab5a57f451c8340292e7-Lenovo-ThinkPad-X1Carbon5th-Thunderbolt-Firmware-N1MTF28W-Secured.cab
    Downloading…             [***************************************] Less than one minute remaining…
    Decompressing…           [***************************************]
    Authenticating…          [***************************************]
    Updating ThinkPad X1 Yoga 4th / Carbon 7th Thunderbolt Controller…
    Restarting device…       [***************************************]
    

    To confirm that the upgrade was performed successfully execute:

    $ fwupdmgr get-updates
    No upgrades for ThinkPad X1 Yoga 4th / Carbon 7th Thunderbolt Controller, current is 43.00: 43.00=same
    ________________________________________________
    
    Devices that have been updated successfully:
    
     • ThinkPad X1 Yoga 4th / Carbon 7th Thunderbolt Controller (41.00 → 43.00)
    
    Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices.
    Upload report now? (Requires internet connection) [Y|n]:
    

    Thunderbolt Controller



    The Thunderbolt controller should work after the Arch Linux installation out of the box.

    Lenovo Thunderbolt 3 dock connected to ThinkPad X1 Carbon Gen 7 on Arch Linux

    Lenovo Thunderbolt 3 dock connected to ThinkPad X1 Carbon Gen 7 on Arch Linux

    However, There are some caveats you might experience. For example it suddenly stopped working and I could not get past the following error message:

    "No Thunderbolt support - Thunderbolt security level could not be determined"
    

    I’m using the Thunderbolt 3 in combination with the Lenovo thunderbolt 3 dock. It worked for weeks and suddenly it stopped working as there was no way to get it recognised by the system. After various troubleshooting attempts involving various configurations, software upgrades, I have also realised that the HDMI port on the on my ThinkPad X1 Carbon is not working at all.

    Simply this could not be coincidence and I resorted to the Lenovo emergency reset. ( see below video ) on how to reset your Lenovo ThinkPad X1 Carbon Gen 7 Laptop. After that, the thunderbolt and the HDMI started to work once again as expected.

    Emergency Reset of Lenovo ThinkPad X1 Carbon Gen 7


Comments and Discussions
Linux Forum