GNU/Linux on IBM/Lenovo ThinkPad T43

Weblog Projects Photos Misc Contact

Forewords

This document is far from complete. It was last updated on 9 June 2007. Don’t expect updates.

This document describes my adventures with installing Debian sid (3.1) GNU/Linux on an IBM (or Lenovo if you prefer) ThinkPad T43 using crypted root filesystem. It also tries to document one way to install hardware device drivers and configure power saving features to fit the particular laptop for writer’s personal preferences and environment. Some of the stuff have been tested with Debian etch as well.

For Debian and non-Debian alike, TuxMobil has plenty of links to pages (more of less) similar to this.

Disclaimer

I take no responsibility for what you do with your computer. This stuff works for me and that’s pretty much all I care about. If it breaks your installation, you’re on your own. (“If it breaks, you get to keep both pieces.”)

Introduction

When I started an on-site assignment at [NDA] I was given an IBM/Lenovo ThinkPad T43 to do my work with. It came with Windows XP Professional pre-installed, but I was allowed – and in fact, supposed – to install Linux on it. The only requirement was that if I ever wanted to take the thing outside the walls of [NDA], I had to have a crypted filesystem.

Until then, I had only experimented with crypted disk images, which was rather trivial with cryptoloop. The problem was how to do this automatically with the root filesystem. How can I do it with minimal manual work?

Installation and setting up crypted root

• Debian Testing installer on USB-stick.
• Create three partitions
  • /dev/sda1 as /boot, ext3, 64 MiB
  • /dev/sda2 (unmounted), ext3 (unmounted with no filesystem created), 57 GiB
  • /dev/sda3 as /, ext3, 2 GiB (intended to be swap)
• Install base system
• Install GRUB on MBA
• Reboot to freshly installed OS
• apt-get install cryptsetup initrd-tools
• Apply patches against initrd-files (I’ve got them right here on my harddrive)
• Download kernel, patch, configure, create package, install
• Create initrd, install, configure GRUB
• Follow instructions at …
• Reboot to crypted root

Installing hardware drivers

First of all, http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p is your best friend! Use that guide instead. Feel adventurous? Feel free to read ahead.

Hardware 3D-acceleration (FGLRX)

Download drivers from ATI and compile kernel and modules with make-kpkg. All done!

WLAN

Umm… It works, though. See http://www.thinkwiki.org/wiki/Ipw2200.

Fingerprint reader

See http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p_fingerprint_reader.

Here’s what I ended up doing:

• Download the Debian package for bioapi, version 1.2.1 and 1.2.3 from http://www.qrivy.net/~michael/. If 1.2.1 is not available for your copy of Debian, try getting package that contains QSample. You are going to need it later.
• Install bioapi 1.2.1
• Download BSP from UPEK, Inc.. The one I used was TFMESS_BSP_LIN_1.0.zip.
• Extract to new directory
• Run install.sh /usr/lib (as root). This will install necessary libraries and screw up your package management. Be sure to save the directory or at least uninstall.sh the installer creates.
• Download pam_bioapi. I used pam_bioapi-0.2.1.tar.bz2.
• Install libpam0g-dev (and all the other packages you could be missing).
• Extract, create directory /tmp/pam_bioapi, run ./configure --prefix /tmp/pam_bioapi and make install.
• Download my fancy directory-structure-into-debian-package -script.
• Run the script with a bunch of parameters like…

  ~/makedeb.sh --maintainer "myname <user@host.com>" \
   --package "libpam-bioapi" --description "PAM-module for BioAPI" \
   --version "0.2.1-1" --section admin --rootdir /tmp/pam_bioapi
  

• Install created package (libpam-bioapi_0.2.1-1_i386.deb)
• Remove /tmp/pam_bioapi
• Resolve your fingerprint reader’s module ID. You can use the following command (as root).

  BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \
  \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"
  

  In my case this id is {5550454b-2054-464d-2f45-535320425350}. Create directory /etc/bioapi/pam/{5550454b-2054-464d-2f45-535320425350}.

• Run QSample (as root) to create fingerprint data for users that are allowed to authenticate with a fingerprint. Copy the created files (such as wnd.bir) to /etc/bioapi/pam/{5550454b-2054-464d-2f45-535320425350}/ (again as root). QSample writes those files to current working directory, if you’re wondering.
• Install the latest bioapi (1.2.3 as of 15 March 2006). You may want to consider copying QSample somewhere safe first.

Configure GDM to authenticate with a fingerprint

• Insert the following row to /etc/pam.d/gdm right above @include common-auth:

  auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
  

Allow luser-applications to use fingerprint reader

ll you need to do is to allow lusers to read and write the fingerprint reader device. I created group bsp and added myself there. Then I wrote this script (to be copied to /etc/init.d) to set the permissions at start up. It probably doesn’t work after suspend; I haven’t tried that yet. One the file is in place, run update-rc.d bsp defaults (as root). Finally run invoke-rc.d bsp start (as root).

Configure xscreensaver to authenticate with a fingerprint

• Make sure lusers can access the reader
• Download patched xscreensaver (or the patch and compile it yourself) from your best friend and install it. Consider putting the package to hold.
• Add alternativeAuth: True to your ~/.xscreensaver.
• Create /etc/pam.d/xscreensaver-alternative with the following content:

  auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
  @include common-auth
  

• Restart xscreensaver

If authentication doesn’t work, check /var/log/auth.log. If you get BioAPI error #194d the permissions are not properly set. If you are asked for a fingerprint after your password, you have edited the wrong file (like I did).

Configuring powersave

• Install laptop-mode-tools, hdparm, radeontool, and hibernate
• Configure
• Tweak

Scripts for ACPI

Stuff implemented:

• Dimming the display backlight with Fn+F3
• Locking the screen (and turning of the backlight) when lid is closed
• Activating xscreensaver-prompt and turning on the backlight when lid is opened

Working, but not enabled here:

• Suspend-to-RAM wit Fn+F4
• Toggle WLAN
• Toggle Bluetooth (works by default anyway)

First of all my scripts assume certain ACPI-events are caught as ibm/hotkey and not as button/lid that laptop-mode-tools already catch. This can be changed by giving ibm-acpi the parameter hotkey=enable,0x0fef. Also make sure the module is loaded at startup. See /etc/modprobe.d/ibm-acpi.

The next thing would be to catch those events and have my script handle them. It should be easy to add other handlers there.

• /etc/acpi/events/ibm_acpi
• /usr/local/sbin/ibm-hotkey.sh

Finally, the actual scripts to Do Stuff(tm).

• /usr/local/sbin/ibm-ati-powerstate.sh
• /usr/local/sbin/ibm-common.sh
• /usr/local/sbin/ibm-screen-backlight.sh
• /usr/local/sbin/ibm-x-lock.sh

Remember the x-bit.

Acknowledgements

• Without http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p this page would probably never exist.
• http://www.thinkwiki.org/ was also a great help.
• My co-worker, Tuomas Kulve. Nice working with you. Thanks for testing the stuff on Debian etch.

---

Content copyright © 2007-2020 Tommi Saviranta.
Last modified: 20 Oct 2019 14:06:29