Hi Folks,

For those of you with older Thinkpads (i.e T(4/)510, T(5/4)20, T(5/4)30), do you use these machines as your primary machines? I'm kinda stuck on mine
and Slackware runs well on it but I'm wondering whether I should start looking elsewhere for a similarly good laptop...and am coming up ...empty. Seems they don't make them like they used to - sturdy, upgradeable, awesome keyboard, long term driver/bios support etc...ok enough of that rant.

But these machines are getting old, and it appears Intel has been slowly dropping microcode updates for older cpu's as new variants are found. I say this because my attempt to mitigate the SRBDS vulnerability did not work, and from some searching I found a link at Phoronix ( https://www.phoronix.com/scan.php?pa...enchmark&num=1 ) saying (on the first page) that for IVY Bridge no microcode for the Srbds vulnerability has been made available.

If another variant of the Spectre/Meltdown vulnerability is discovered, we can probably say bye-bye to the T440(p)/T540 next, so ...

So the question is: Are you Thinkpad (T410/420/430 etc) owners thinking of alternate hardware? If so, I would be interested in knowing what you are planning to get to replace your laptop? Will it be New? Used? AMD? Arm? Alder Lake? Something else?

Or is not completely patching Spectre/Meltdown vulnerabilities ok with you?

And if you are curious as to what I did to try and mitigate the vulnerability the steps are outined just below but that isn't really the question anymore (I think :-) ) Maybe there is a microcode for the srbds that I don't know about.

##############################################################################
### What I did to upgrade the microcode to patch the SRBDS vulnerability ###
##############################################################################
In the end, after installing the intel-microcode and iucode_tool and because I am using grub, I only needed to add one line in /etc/default/grub:

GRUB_EARLY_INITRD_LINUX_CUSTOM="intel-ucode.cpio"

With that done the /boot/grub/grub.cfg file was updated by doing another "grub-mkconfig -o /boot/grub/grub.cfg".

I could see that grub-mkconfig -o /boot/grub/grub.cfg updated the menu entries to load the microcode - but after rebooting the output of lscpu showing the status of mitigations for Spectre/Meltdown didn't change with the microcode added. Checking the output of "cat /sys/devices/system/cpu/vulnerabilities/srbds" also showed the same result - i.e srbds was still vulnerable.

Output of lscpu showing vulnerabilities:

Vulnerabilities:
Itlb multihit: KVM: Mitigation: VMX unsupported
L1tf: Mitigation; PTE Inversion
Mds: Mitigation; Clear CPU buffers; SMT vulnerable
Meltdown: Mitigation; PTI
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional
, RSB filling
Srbds: Vulnerable: No microcode
Tsx async abort: Not affected

----------

Output from cat also shows the same status:

cat /sys/devices/system/cpu/vulnerabilities/srbds
Vulnerable: No microcode

---------- Output from dmesg

dmesg | grep -i microcode
[ 0.092538] SRBDS: Vulnerable: No microcode
[ 4.169392] microcode: sig=0x306a9, pf=0x10, revision=0x21
[ 4.170357] microcode: Microcode Update Driver: v2.2.

I would be more concerned about Intel ME, rather than Spectre or Meltdown... Did you try to strip it, and maybe install coreboot?

1 members found this post helpful.

I have a few t440 t450 t430 but use t430 for school only. Others are for basic entertainment and primarly used by kids.
Slackware works very well with it. Just looking forward for a real desktop.

My main is an Asus ux303ln. Quite old now. I would look at their new machines if I was looking for a laptop.

@tauon

I get that it is harder to use Spectre/Meltdown than Intel ME and you probably have a point - although I am going to have to read up a little on Coreboot if I go that route. Coreboot won't fix Spectre/Meltdown though. But I see your point.

As of now, I'm not sure that there are any cpu architectures that are unaffected by Spectre/Meltdown at the moment...so buying anything won't help in that regard.

Maybe looking at removing Intel ME should be my first option, although there is always the chance of a "bricked" computer when playing around with stuff like Coreboot - although I don't know much about it yet. Will give it a read. Might buy a cheapie Thinkpad and do a trial run at some point...Guess I will have to build security one "brick" at a time - hahaha

Thanks

My take is such a choice depends on use case and common environment as well as how paranoid one thinks they need to be. I don't use my laptop often but it is never outside my home, always om wired connection, almost never exposed to anyone who knows Linux, however it is VERY old. I'm using an IBM (yup, still) T61P and I've run the hardcore Lynis audit tool and naturally it is a vast amount more paranoid than I am since it assumes an Enterprise environment as in at least an occasional workstation, remote or otherwise.

I get 55 suggestions, almost all of which are hardening concerns commonly needed in such an environment, but only 1 or 2 which actually apply to mine. If I use "lscpu" I get similar results to you but it doesn't bother me one bit. In years of use (admittedly sporadic) and many runs of rkhunter and checking iptables logs I have never been compromised on this box. I haven't had a microcode update in ages but all seems well.

Note: I use the T61P, actually bought it used because it preceeds ME so is of zero concern.

2 members found this post helpful.

I am on a T420 and I am not concerned. If it gets to the point where I get concerned I would just disable SMT in the bios.

I disabled SMT on the T420 for a short period of time to see if there was a difference, and did not really notice any different in performance.

I have a Thinkpad T510 for various internet (gopher, IRC), office and home network monitoring tasks, and as a portable when the cellphone and tablet are too small. It's a solid box with plenty of ports and FIREWIRE! The only box I have that can still access my 2 DV cameras.
From my reading, I'm not too concerned about Spectre/Meltdown since I don't present much of an attack service. It is highly unlikely any remote execution attack will be successful on my home network. They well need to ring the doorbell first and ask for entry. As enorbet mentioned, it depends on your use case and paranoia comfort level.

I've recently come across https://frame.work - a customizable modular laptop, if you need more modern hardware. looks interesting. System76 gets decent reviews - I have not owned one. The newer Lenovo Thinkpads (have a T490 for work), still have good Linux support but IMO the buld quality is starting to slide. I'd stick with the IBM or early Lenovo Thinkpads.

1 members found this post helpful.

I have a T430s and it's not the performance as much as the screen that limits it. Compared to more recent 1080p screens, it's irritatingly cramped, grainy and dim. I mostly use an Asus Zenbook or a t470s. I've eyed that Framework laptop too, and if I were in the new laptop market, that would make the short short list.

My main system is a Lenovo T430 + slackware 14.2 (64)
I installed current (Nov 2021) on a partition and it runs ok.

I recently bought a T480s on which I installed current in November.

I don't complain: they both work fine.

I have a ThinkPad x230, where I replaced the HDD with an SSD. It was running Slackware perfectly fine and I used it for presentations without any problems. It has a VGA, which came handy with some older projectors.

I've had Slackware64-current running on my T410 & X200 with no problems. I replaced the HDDs with SSDs too, dead easy with Thinkpads.

Thanks for the input everyone. I really love that Framework laptop concept ... so easy to access components and swap out the different io connectors. I'm definitely going to check in on them next year - I really hope they catch on. The laptop is linux compatible...so hoping Slackware is too.

For now, like others here, I'm hesitant to give up on my old Thinkpad, so I fell into a Coreboot rabbit hole.

I have a raspberry pi 3 and was always a little curious about those GPIO pins (i2C, SPI, UART). I've now got a reason to look at those pins because it seems they can help me backup my existing bios on the Thinkpad before flashing Coreboot (SeaBIOS). Seems that you can go back if the Coreboot flash goes south...

I found this description of the pi's GPIO pins.

https://www.mbtechworks.com/hardware...T-SPI-I2C.html

And there are vids on youtube. Found one youtube video that shows how to flash the bios of an X220 using the SPI protocol method from a pi to the laptop. There are others.

Anyway, that is where I am at...if I ever get this done I'll update this thread.

Thanks!

2 members found this post helpful.

I'm also going to flash coreboot on my X220 at some point in order to make the nitrocaster mod fully working. If I remember correctly, the manual for X220 starts with the "backing up" the existing BIOS.

Anyway, good luck with the coreboot!

@tauon

A nice monitor for your X220... thumbs up to that!

In my case, I'd probably like to get the same bios chip from another similar motherboard and practice modding the bios with that first. I always need to kick the can around a few times (and sometimes more) to get the procedure down pat.
Soldering is definitely not one of my skills. I'd have to practice on dead motherboards (luckily I have a few hehehe). And a good set of tools to solder... a good spi programmer to play around with just to see if I can get the programmer to read and flash the bios chips. I've seen youtube vids showing how to desolder bios chips from the board so that they could be fitted to a programmer, but you don't have to desolder the chip. So tempted....we will see :-)


Take Care

Thanks! Unfortunately, X220 comes with a yet outdated HD screen, but FullHD on such a tiny thing looks so great, even better than my R50p.