These instructions cover how to install Debian 'jessie' 8.x onto a Microsoft Surface Pro 4.
The instructions assume you are not new to Debian, though you may have no experience of UEFI and SecureBoot (I did not until now!).
What is Working
- dual booting
- SecureBoot
- Touchscreen and Pen
- typing cover keyboard
- multitouch touchpad (two finger scrolling, etc)
- special keys
- 2D and 3D (OpenGL) acceleration
- hardware video decoding
- power and volume buttons on the screen
- audio (including the microphone)
- sensors -
dev_rotation
though gives nothing but zeros - wireless (is a 88W8897, a wireless/bluetooth combo module)
- bluetooth - this only appears once you use the wireless card firmware from firmware-libertas (20151207-1~bpo8+1) [pcie8897_uapsta.bin version 15.68.4.p112]
- microSD reader - presented as a USB reader appearing when you insert a card
- suspend (rather freeze), hibernate and resume works
Outstanding Issues
-
camera
- is on an I2C bus on accessible via the graphics card
- from the ACPI DSDT you can get information on what the three cameras are
- front camera (
CAMF
) is aOV5693 (INT33BE)
, there is an Android driver - rear camera (
CAMR
) is aOV8865 (INT347A)
, there is an Android driver - third camera (
CAM3
) is an IROV7251 (INT347E)
, there is an Android driver
-
opening the typing cover (or pressing keys) does not not automatically resume
-
- DSDT changes required to fix this
- once done, we can turn turbo boost off on battery via
/sys/devices/system/cpu/intel_pstate/no_turbo
-
there is an ACPI
INT3420
entry for 'Intel Bluetooth RF Kill' which would be nice to have -
enable the other I2C (
INT344[2-5]
) and SPI (INT344[01]
) busses viadrivers/mfd/intel-lpss-acpi.c
maybe? -
there are a number of hardware sensors via a MAX34407 on the I2C bus
-
there is no S3 'suspend to RAM' available as since the Surface Pro 3, connected standby (ACPI state S0ix) replaces it; although supported by Linux fundamentally by Linux, some practical work is still needed
- this means that S3 'suspend to RAM' (
echo mem > /sys/power/state
) is replaced with S1 'power on suspend' (echo freeze > /sys/power/state
) which uses a lot more juice; 100% charge lasts about 12 hours - amending the DSDT manually to remove the conditional that masks out S3 results in
echo mem > /sys/power/state
making the laptop power up as if power cycled. Probably works better withacpi_rev_override
(_REV=2
) andacpi_os_name="Windows 2012"
(or earlier)
- this means that S3 'suspend to RAM' (
-
Caps Lock key light - 'fixed' by running
sudo kbd_mode -u
- this is not a problem with the
hid-microsoft
driver which if you want to use make sure you are usingxserver-xorg-input-evdev >=2.10
as well asOption "IgnoreAbsoluteAxes" "on"
- we use the
hid-multitouch
driver as it presents separate keyboard and touchpad devices, which means the xorgevdev
driver does not handle the touchpad andmtrack
sees it as a touchpad and can handle it
- this is not a problem with the
-
Wireless
- power saving needs to be turned off otherwise after about a minute of idling, you start seeing 100ms+ first hop latencies
modprobe -r mwifiex_pcie; modprobe mwifiex_pcie
results in a lockup; you need to reset the card inbeteen the unload/load withecho 1 > /sys/bus/pci/devices/0000\:02\:00.0/reset
- on kernel 4.5.x (and I guess 4.6.x too) the driver is pretty flakey though there is a patch on the linked bugzilla
-
the GRUB with SecureBoot needs some more work, the fonts are bust, plus I need to find the problematic module so we can just load the lot in making the process simpler
-
gparted
lockup investigation -
move to using
triggerhappy
rather thanxbindkeys
so that the multimedia keys can still work with the screen locked -
reading sensors (such as the ALS) occasionally takes a long time, which might be related to bad timings:
[10805.080581] i2c_hid i2c-MSHW0030:00: failed to change power setting. [10805.080969] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10805.081317] i2c_hid i2c-MSHW0030:00: failed to set a report to device. [10805.081609] i2c_hid i2c-MSHW0030:00: failed to set a report to device. [10805.081887] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10805.484550] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10810.588300] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10815.691993] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10820.795814] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10825.899475] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10831.003440] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10836.107134] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10841.210879] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device. [10849.482535] i2c_hid i2c-MSHW0030:00: failed to set a report to device. [10849.482955] i2c_hid i2c-MSHW0030:00: failed to change power setting. [10849.483393] i2c_hid i2c-MSHW0030:00: failed to set a report to device. [10849.483781] i2c_hid i2c-MSHW0030:00: failed to retrieve report from device.
Related Links
- because of the high resolution screen it is worth reading through some HiDPI related materials otherwise you will very quickly go short sighted
- wishing for a matte screen, I got the iLLumiShield and find it does the job great
- for a nice cheap case, I got the blue map motif MoKo Ultra Slim Lightweight Smart-shell Stand Cover Case (Map F)
- patches based on
- iio-sensor-proxy -
systemctl enable iio-sensor-proxy.service
- Hibernation
- reverse scrolling
- reddit - Surface Linux: Penguins like nice things too
- Microsoft Surface Pro 4 update history
- SecureBoot
Preflight
You will require:
- an external USB keyboard, as the typing cover is not supported by Debian's kernel
- a USB hub as there is only one USB port
- a USB key
dd
'ed with the amd64 live ISO for gparted- WARNING:
gparted-live-0.24.0-2-amd64.iso
locked up after a few minutes of running, you of course do not want this midway through the resize. All I can recommend if you use this version, is to be quick - I have tried to boot
0.25.0-1
but it fails for various reasons whilst0.25.0-3
the {md5,sha1}sums for the ISOs mis-match which explains why they do not work
- WARNING:
- a USB key
dd
'ed with the non-free amd64 Debian network installer; I usedfirmware-8.2.0-amd64-netinst.iso
- an (open, WEP or WPA PSK) wireless network you can connect to (or an USB Ethernet adaptor)
Prepping Windows 10
The aim here is to shrink down the Windows partition to make room for Debian.
I wanted to keep Windows as Microsoft are constantly releasing updated firmwares which will only apply from under Windows. Of course if you plan not on dual booting you could skip all this, though I would not recommend to have something to apply those firmware updates with.
Let's start by disabling Bitlocker so that gparted can resize the partition later. This is done by clicking on Start, and clicking on 'File Manager'. From here you will be able to go to where drive C:
is located, and right-clicking on it will give you an option to 'Manage Bitlocker'. From there you will be able to click on 'Disable Bitlocker'.
N.B. if there is an exclamation mark on the drive C:
icon, you will need to firstly enable Bitlocker before you can fully disable it
Now we need to disable SecureBoot to let us boot Linux later on.
- Either:
- from Windows, click on Start -> Power -> (hold down shift) -> click on 'Restart'
- go to 'Troubleshoot'
- go to 'Advanced options'
- select 'UEFI Firmware Settings'
- whilst powered off, hold down the '+' volume button and turn on the laptop
- from Windows, click on Start -> Power -> (hold down shift) -> click on 'Restart'
- you will be dropped into the Surface UEFI system
- go to 'Security'
- under 'Secure Boot', click on 'Change configuration'
- select 'None' from the menu and click on OK
Before we go and shrink the Windows partition, lets start off by getting the latest updates (including firmwares) installed (I did this on 2015-12-31), so prepare yourself for a long and tediously slow process (hours) of watching progress bars and lots of reboot cycles as Windows 'does its thing'.
We now need to free up a space on drive C:
and get ready for shrinking by:
- turning off the hibernation file
- turning off the paging file
- run disk cleanup (including on the system files) - here you can delete any old versions of Windows which can take up ~25GB
- run twice
CHKDSK
on driveC:
, this is done by opening a command prompt as administrator and typingchkdsk /f c:
, you will need to reboot for the chkdsk to work; remember to do it a second time too!
Shrinking the Windows Partition
Insert the gparted USB key and boot it by either:
- from Windows, click on Start -> Power -> (hold down shift) -> click on 'Restart'
- go to 'Use a device'
- select 'USB Storage'
- go to the Surface UEFI system by powering on whilst holding down the '+' volume button
- go to the 'Boot configuration' section
- left swipe on 'USB Storage' to boot off your USB key
You should be able to boot into gparted now, and get something that lets you reduce the size of the NTFS partition; for me Windows took up 22GB of space so I left it in a 60GB partition to leave it enough room for Windows Update.
Once shrunk, you should test that you can still boot into Windows, and if you can, we are ready to move on (though you may wish to first go back into Window and re-enable hibernation, the paging file and Bitlocker). If not, you will have to figure out what is wrong.
For reference, my partition table looks like:
alex@quatermain:~$ sudo fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 238.5 GiB, 256060514304 bytes, 500118192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: B9B03E80-67C3-41C1-AF4F-367C32AF2CE5
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 534527 532480 260M EFI System
/dev/nvme0n1p2 534528 796671 262144 128M Microsoft reserved
/dev/nvme0n1p3 796672 130377727 129581056 61.8G Microsoft basic data
/dev/nvme0n1p4 494813184 500117503 5304320 2.5G Windows recovery environment
/dev/nvme0n1p5 130377728 493658111 363280384 173.2G Linux LVM
/dev/nvme0n1p6 493658112 494813183 1155072 564M Linux filesystem
Partition table entries are not in disk order.
N.B. you should set your swap space to about 1.5x the amount of memory you have to make sure you have space to hibernate
Installing Debian
Boot off your Debian installer USB key and work through it. Early on though you will be prompted on which Ethernet card you have, select "no Ethernet interface", then the next page you will be prompted to supply details on how to connect to your wireless network then the installation will continue as expected.
N.B. I would recommend keeping the ~2.5GB recovery partition so if you ever need to return the laptop, you will find the process dead easy; though it seems you could move the partition to external media or download it from the Microsoft website
For your information, I went for a /boot
partition and put everything else on LVM.
When the installer gets to the point of installing GRUB as your boot loader, it will fail. To resolve this you will need to 'Execute a shell' and type the following:
mount --bind /sys /target/sys
chroot /target /bin/bash
apt-get install grub-efi
update-grub
grub-install /dev/nvme0n1
exit
umount /target/sys
exit
Now click on 'Continue without a bootloader'.
You laptop should reboot and you will see the GRUB bootloader and Debian should boot.
N.B. until you install a newer (backports) kernel GRUB will not detect and boot Windows
Configuring
Add Additional Repositories
You need to add Debian backports, stretch, sid, as well as some suitable pinning. So copy into place the required files under /etc/apt/
. Now run:
sudo apt-get update
Networking
All you need to do is copy the contents of interfaces.d
into /etc/network/interfaces.d/
; plus create a suitable /etc/wpa_supplicant/wpa_supplicant.conf
file (if you are not using any network management tool).
Kernel
First you need to set some kernel boot arguments which are set in /etc/default/grub
:
resume=/dev/mapper/lvm--quatermain-swap
N.B. you must adjust the resume
argument to match where your swap space is, or if you plan not to use hibernation, replace it with noresume
N.B. if you are running a kernel earlier than 4.4, you will also need to add intel_idle.max_cstate=2
otherwise the GPU whilst modeset'ing will black out the screen and crash the system
Also, so that your keyboard works before the root filesystem is mounted, edit your /etc/initramfs-tools/modules
file to include hid_multitouch
.
Run the following to get your system ready to compile a kernel:
sudo apt-get install build-essential git fakeroot kernel-package
sudo apt-get install firmware-libertas/jessie-backports firmware-misc-nonfree intel-microcode
wget -P /usr/src http://http.debian.net/debian/pool/main/l/linux/linux-source-4.8_4.8.7-1_all.deb
git clone https://gitlab.com/jimdigriz/linux.git /usr/src/linux
cd /usr/src/linux
git checkout mssp4
ar p /usr/src/linux-source-4.8_4.8.7-1_all.deb data.tar.gz | gunzip -c | tar xO ./usr/src/linux-config-4.8/config.amd64_none_amd64.xz | xzcat > .config
cat <<'EOF' >> .config
CONFIG_INTEL_IPTS=m
CONFIG_BLK_DEV_NVME=y
CONFIG_MODULE_SIG=n
CONFIG_SYSTEM_TRUSTED_KEYRING=n
EOF
Now run make oldconfig
(accept the defaults to all the prompting) so our .config
changes are incorporated (we make nvme
built in so hibernation works).
Time to compile the kernel (this will take about 40 minutes):
CONCURRENCY_LEVEL=`getconf _NPROCESSORS_ONLN` fakeroot make-kpkg --initrd --append-to-version=-mssp4 kernel_image
N.B. you can append kernel_headers
to also build the linux-headers
package too
Once compiled (roughly 40 minutes), you now need to install your new kernel:
sudo dpkg -i /usr/src/linux-image-4.9.0-mssp4+_4.9.0-mssp4+-10.00.Custom_amd64.deb
Now reboot into your new kernel.
Power
Install the needed packages:
sudo apt-get install sleepd
Copy in the /lib/systemd/system-sleep
helper files, /etc/systemd/sleep.conf
and also /etc/default/sleepd
.
You should be able to suspend (echo freeze | sudo tee /sys/power/state
, or close the typing cover), hibernate (echo disk | sudo tee /sys/power/state
) and resume (hold the power button for roughly five seconds).
If you have problems, such as stalls at boot time, there probably is a problem with your resume
kernel parameter (did you compile the kernel with nvme
built in?), so to break out of the stall add noresume
to your kernel parameters.
Screen Locking
To lock your X11 console, you will need a few packages:
sudo apt-get install xautolock xss-lock
Then set your ~/.xsession
accordingly to run these.
PowerTOP
A number of PowerTOP suggestions are applied with:
Graphics
Console
All you need to do is so run:
sudo dpkg-reconfigure console-setup
Then select the 'Terminus' font, and the 16x32 sizing.
N.B. you can set the keyboard mapping for the console (and Xorg) with localectl ...
Unfortunately there is an outstanding bug (console-setup w/ systemd forgets font setting) which means you have to slip in /etc/udev/rules.d/90-setupcon.rules
to stop them being shrunk again (and the keyboard mapping being forced back to US)
Xorg
Start off by installing Xorg:
sudo apt-get install xserver-xorg xserver-xorg-input-mtrack xserver-xorg-video-intel libgl1-mesa-dri libgl1-mesa-glx big-cursor
Now populate /etc/X11/xorg.conf.d
and then you should be able to start Xorg (I recommend installing the lightdm package) and it will have 2D and 3D acceleration enabled. You can check this by running:
alex@quatermain:~$ grep AIGLX /var/log/Xorg.0.log
[ 5.124] (==) AIGLX enabled
[ 5.183] (II) AIGLX: enabled GLX_MESA_copy_sub_buffer
[ 5.183] (II) AIGLX: enabled GLX_ARB_create_context
[ 5.183] (II) AIGLX: enabled GLX_ARB_create_context_profile
[ 5.183] (II) AIGLX: enabled GLX_EXT_create_context_es2_profile
[ 5.183] (II) AIGLX: enabled GLX_INTEL_swap_event
[ 5.183] (II) AIGLX: enabled GLX_SGI_swap_control and GLX_MESA_swap_control
[ 5.183] (II) AIGLX: enabled GLX_EXT_framebuffer_sRGB
[ 5.183] (II) AIGLX: enabled GLX_ARB_fbconfig_float
[ 5.183] (II) AIGLX: GLX_EXT_texture_from_pixmap backed by buffer objects
[ 5.183] (II) AIGLX: enabled GLX_ARB_create_context_robustness
[ 5.183] (II) AIGLX: Loaded and initialized i965
If this does not work then you should check that the apt pinning brought in libdrm-intel1
, libgl1-mesa-{dri,glx}
and xserver-xorg-video-intel
from jessie-backports.
Then from within X you should see something like:
alex@quatermain:~$ xdriinfo
Screen 0: i965
alex@quatermain:~$ glxinfo | head
name of display: :0
display: :0 screen: 0
direct rendering: Yes
server glx vendor string: SGI
server glx version string: 1.4
server glx extensions:
GLX_ARB_create_context, GLX_ARB_create_context_profile,
GLX_ARB_create_context_robustness, GLX_ARB_fbconfig_float,
GLX_ARB_framebuffer_sRGB, GLX_ARB_multisample,
GLX_EXT_create_context_es2_profile, GLX_EXT_framebuffer_sRGB,
Backlight
You can use (range from 0 to 937):
xrandr --output eDP1 --set Backlight 400
If you prefer, you might want to use:
sudo apt-get install xbacklight
Alternatively, look at /sys/class/backlight/intel_backlight/{brightness,max_brightness}
.
Multimedia Keys
This depends on your environment, though I am using xbindkeys which should be pretty usable on all desktop environments.
sudo apt-get install xbindkeys libnotify-bin
Copy in a ~/.xbindkeysrc
file and also the screen brightness setting script /usr/local/bin/mssp4-backlight
.
Restart X11 (to pick up the load in your ~/.xsession
file), or run 'xbindkeys' in a terminal.
Hardware Video Decoding
Lets install the drivers and a video player:
sudo apt-get install mpv/jessie-backports libva1 i965-va-driver vainfo
Test if you have VA-API acceleration available with:
vainfo
If so, now configure mpv
to use the API.
mkdir ~/.config/mpv
echo hwdec=vaapi > ~/.config/mpv/mpv.conf
When you play videos, you should find the CPU utilisation drops substantially; I saw a 3.5x improvement!
If this does not work (you see Using software decoding.
in the output of mpv
) it may be because this only works for videos encoded with a codec where VA-API accelerated decoding is available (you will see Using hardware decoding.
when it works). For hints, example the output of vainfo
and compare it to what mpv
says the video codec is (for example h264
).
Chromium (and Opera)
Lets install Chromium:
sudo apt-get install chromium
Open a tab to chrome://gpu and should see hardware acceleration is off for a number of things. To fix this, go to in another tab chrome://flags/#ignore-gpu-blacklist and enable 'Override software rendering list'. When you click on 'Relauch now' you should see 'Video Decode' is now enable in the chrome://gpu tab.
Now install the h264ify extension and then test by watching COSTA RICA IN 4K 60fps (ULTRA HD) w/ Freefly Movi and cranking it up to 2160p. Under the menu option 'stats for nerds' you should see pretty much zero frame drops and your CPU only going to 100%ish, rather than the 250%+ without and the stuttering that goes with software rendering at this resolution.
Vivaldi
Similar to the Chromium/Opera instructions (override the software rendering list and install h264ify), you will also need to fetch vivaldi-snapshot from the Vivaldi website (it will auto-update afterwards). Now go and fetch chromium-codecs-ffmpeg-extra from Ubuntu and install it.
sudo dpkg -i chromium-codecs-ffmpeg-extra_51.0.2704.79-0ubuntu0.15.10.1.1232_amd64.deb
Now install:
sudo apt-get install libvdpau-va-gl1 vdpauinfo
Now run vivaldi with:
VDPAU_DRIVER=va_gl vivaldi
Firefox
For Firefox, which does not support any HTML5 video hardware decoding, you can persuade the (non-pepper) flashplugin-nonfree
package to use hardware acceleration:
sudo apt-get install libvdpau-va-gl1 vdpauinfo
sudo mkdir /etc/adobe
echo -e "EnableLinuxHWVideoDecode = 1\nOverrideGPUValidation = 1" | sudo tee /etc/adobe/mms.cfg
sudo sed -i '/va_gl/ s/^# //' /etc/X11/Xsession.d/20vdpau-va-gl
You will now need to logout and back in to get the VDPAU_DRIVER
environment variable set, or you can quickly test things with:
VDPAU_DRIVER=va_gl firefox
For me, I get about 20% CPU usage for Flash at 1080p, whilst with HTML5 I get 170%. It is worth installing one of the many Firefox extensions that force YouTube (and other sites) to use the Flash player to lower battery (and fan!) usage.
N.B. it seems that if you go above 1080p, the acceleration is no longer used and there is a significant uptick in CPU utilisation
Touchscreen and Pen
The driver (intel-ipts
) is already in the compiled kernel (from the above instructions) so after copying the various binaries described below into place, you should be able to reboot and start using your touchscreen and pen.
N.B. you will of course need to pair your the (bluetooth) pen to your laptop
OpenCL
You will need the OpenCL kernel binaries that are located in your Windows partition at %WINDIR%\INF\PreciseTouch
and you need to copy the contents of it all to /lib/firmware/intel/ipts
and add the following symbolic links:
sudo mkdir -p /lib/firmware/intel/ipts
mkdir windows
mount mount -o ro /dev/nvme0n1p3 windows
sudo cp windows/Windows/INF/PreciseTouch/Intel/SurfaceTouchServicingKernelSKLMSHW0078.bin /lib/firmware/intel/ipts
sudo cp windows/Windows/INF/PreciseTouch/Intel/SurfaceTouchServicingDescriptorSKLMSHW0078.bin /lib/firmware/intel/ipts
sudo cp windows/Windows/INF/PreciseTouch/Intel/SurfaceTouchServicingSFTConfigSKLMSHW0078.bin /lib/firmware/intel/ipts
umount windows
rmdir windows
sudo cp /usr/src/linux/firmware/intel/ipts/ipts_fw_config.bin /lib/firmware/intel/ipts
sudo ln -s iaPreciseTouchDescriptor.bin /lib/firmware/intel/ipts/intel_desc.bin
sudo ln -s SurfaceTouchServicingDescriptorMSHW0078.bin /lib/firmware/intel/ipts/vendor_desc.bin
sudo ln -s SurfaceTouchServicingKernelSKLMSHW0078.bin /lib/firmware/intel/ipts/vendor_kernel.bin
sudo ln -s SurfaceTouchServicingSFTConfigMSHW0078.bin /lib/firmware/intel/ipts/config.bin
Once done, the directory structure should look like:
$ tree /lib/firmware/intel/ipts
/lib/firmware/intel/ipts
+-- config.bin -> SurfaceTouchServicingSFTConfigMSHW0078.bin
+-- iaPreciseTouchDescriptor.bin
+-- intel_desc.bin -> iaPreciseTouchDescriptor.bin
+-- ipts_fw_config.bin
+-- SurfaceTouchServicingDescriptorMSHW0078.bin
+-- SurfaceTouchServicingKernelSKLMSHW0078.bin
+-- SurfaceTouchServicingSFTConfigMSHW0078.bin
+-- vendor_desc.bin -> SurfaceTouchServicingDescriptorMSHW0078.bin
\-- vendor_kernel.bin -> SurfaceTouchServicingKernelSKLMSHW0078.bin
GuC Firmware
Since kernel 4.7, the GuC firmware version has been bumped from 4.3 to 6.1. Debian jessie does not have this version so you need to downlownload it:
curl -s -f https://01.org/sites/default/files/downloads/intelr-graphics-linux/sklgucver61.tar.bz2 \
| tar jxO skl_guc_ver6_1/skl_guc_ver6_1.bin \
| sudo tee /lib/firmware/i915/skl_guc_ver6_1.bin >/dev/null
sudo ln -s -f -T skl_guc_ver6_1.bin /lib/firmware/i915/skl_guc_ver6.bin
The MD5 checksum of /lib/firmware/i915/skl_guc_ver6_1.bin
should be:
md5sum /lib/firmware/i915/skl_guc_ver6_1.bin
07fa52bd5b7401868cf17105db7dc3ab /lib/firmware/i915/skl_guc_ver6_1.bin
Sensors
dev_rotation
This sensor seems not to do anything for now which means xrandr
auto-rotation is not available:
watch -n1 cat /sys/bus/iio/devices/iio\:device*/in_rot_quaternion_raw
N.B. of interest though, is that when you rotate the laptop onto its side, if you have the typing cover still plugged in it gets disabled
als
You can check the light level by running the following:
watch -n1 cat /sys/bus/iio/devices/iio\:device*/in_intensity_both_raw
Interact with the sensor by covering and uncovering sensor located the farthest on the right at the top of the screen.
accel_3d
Move the laptop about whilst running in a terminal:
watch -n1 cat /sys/bus/iio/devices/iio:device*/in_accel_[xyz]_raw
gyro_3d
Move the laptop about whilst running in a terminal:
watch -n1 cat /sys/bus/iio/devices/iio:device*/in_anglvel_[xyz]_raw
SecureBoot
It is possible to get Debian booting with SecureBoot. However, as well as having the listed restrictions below, it is a bit of a pain to set up, plus to be frank it is a lot of effort and hassle just to avoid seeing a red padlock on boot. Indeed there is some slight benefit of security, but if you insist on running untrusted code as root under Linux or administrator under Windows, then it hardly is going to save you ;)
Anyway, if you do want to do this, you should be aware of the following constraints:
- you use the Linux Foundation Secure Boot System,
PreLoader.efi
- GRUB cannot load modules, so you need to generate a GRUB image with the modules you need built it
- the solution below needs you to understand how to get GRUB to the point of being able to load
/boot/grub/grub.cfg
; my example below involves just a dedicated unencrypted non-LVM/boot
mount point, you might need to adapt the/tmp/grub.cfg
file accordingly for your own setup grub-mkstandalone
simply puts all the modules in a memdisk, so you still get the same problem- building in all modules does not work as there is a module (no idea which, let me know if you work it out!) that stops GRUB detecting anything except for procfs
- it is really difficult to get a definitive list of what modules you need, it is a bit trial and error, plus you may want extras like
cat
,lspci
, etc - every time the grub package updates, you should rebuild the image and re-enroll it
- the solution below needs you to understand how to get GRUB to the point of being able to load
Start off by going into GRUB, and before Linux boots, go to the command line (pressing 'c'). On the command line, type lsmod
and note down the modules loaded, now go back to booting into Linux.
N.B. for reference, my list is: fshelp
ext2
part_gpt
boot
extcmd
crypto
terminal
gettext
gzio
normal
test
disk
loadenv
video
bufio
font
video_fb
gfxterm
efi_gop
efi_uga
video_bochs
video_cirrus
all_video
gfxterm
minicmd
Once booted, run:
sudo apt-get install efibootmgr
sudo mkdir -p /boot/efi/EFI/PreLoader
sudo curl -L -o /boot/efi/EFI/PreLoader/PreLoader.efi http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi
sudo curl -L -o /boot/efi/EFI/PreLoader/HashTool.efi http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi
sudo efibootmgr -c -d /dev/nvme0n1 -p 1 -L Preloader -l /EFI/PreLoader/PreLoader.efi
Now we generate a suitable GRUB image with built-in configuration we generate and a few extras needed modules:
cat <<EOF > /tmp/grub.cfg
search --no-floppy --fs-uuid --set=prefix $(blkid -o udev $(df /boot/grub/grub.cfg | sed '1d; s/ .*//') | awk -F= '/ID_FS_UUID=/ { print $2 }')
configfile (\$prefix)/grub/grub.cfg
EOF
sudo grub-mkimage -O x86_64-efi -o /boot/efi/EFI/PreLoader/loader.efi -c /tmp/grub.cfg \
[list of modules from the GRUB `lsmod` run earlier] \
configfile search_fs_uuid search ls reboot halt \
password password_pbkdf2 echo linux linuxefi chain fat efifwsetup
Then reboot into the UEFI GUI interface to configure the boot order to be 'debian' followed by 'PreLoader', then under Security, set SecureBoot to 'Microsoft & 3rd party CA'.
N.B. we make debian
the first boot option, so that when you run with SecureBoot disabled, it will boot automatically, whilst with SecureBoot enabled debian
will be silently skipped and PreLoader
will be automatically run
Now, when you boot for the first time, you will be asked to enroll loader.efi
, once done, your laptop will now boot with SecureBoot enabled.
Troubleshooting
If you get the following when running efibootmgr
:
efibootmgr: Could not set variable Boot0006: No such file or directory
efibootmgr: Could not prepare boot variable: No such file or directory
You will find that if you were to run strace
you would find out EFI has run out of space and is coming back with ENOSPC
.
To clear up some space, use:
mkdir /tmp/efivars
mount -t efivarfs none /tmp/efivars
rm /tmp/efivars/dump-type0-*
umount /tmp/efivars
rm /sys/fs/pstore/dmesg-efi-*
Now reboot so the EFI firmware can garbage collect and free up the space, then you should be able to continue where you left off.