-
@ Andrey Arapov
2025-06-04 13:59:35Summary:
A clean, no-nonsense guide to setting up Ubuntu 24.04 on the Lenovo ThinkPad X1 Carbon Gen 13. Covers BIOS hardening, telemetry removal, secure networking, and privacy-focused optimizations — everything you need to turn a factory laptop into a fast, minimal, and fully user-controlled Linux machine.
Last update: June 4th, 2025
1. BIOS CONFIGURATION (F1 at boot)
- Disable: Absolute Persistence Module (non-permanent)
- Clear: Security Chip (TPM), Fingerprint Data
- Disable: Microsoft Pluton Security Processor
- Disable: Lenovo Cloud Services
- Enable: Bottom Cover Tamper Detection
- Set Supervisor Password
- Disable: Always On USB
- Disable: "Allow System Management Password Hardware Reset"
- Reset Secure Boot Keys → Restore Factory Keys
- Leave Secure Boot in "Deployed Mode"
- Enable: "Allow Microsoft 3rd Party UEFI CA"
(After firmware setup, boot Ubuntu USB via F12)
2. OS INSTALLATION
bash sha256sum ubuntu-24.04.2-desktop-amd64.iso # Verify ISO checksum- Use
toramboot option (on the vmlinuz kernel line) to load installer into RAM for speed - Install Ubuntu 24.04 as sole OS
- (Temporarily disable Secure Boot if needed, re-enable after)
3. POST-INSTALL CONFIGURATION (Ubuntu 24.04)
```bash
Disable telemetry
sudo ubuntu-report -f send no sudo systemctl disable --now whoopsie.service whoopsie.path sudo systemctl disable --now apport.service sudo apt purge apport
Disable CUPS (printing system)
for svc in cups.path cups.socket cups.service cups-browsed.service; do sudo systemctl disable --now "$svc" done
Disable LAN discovery/mDNS
sudo systemctl disable --now avahi-daemon.socket avahi-daemon.service
Remove Snap system completely
snap list | awk 'NR>1 {print $1}' | xargs -r sudo snap remove --purge sudo apt -y purge snapd sudo apt-mark hold snapd
Disable unattended upgrades
sudo dpkg-reconfigure unattended-upgrades
Remove GNOME online accounts integration
sudo apt purge gnome-online-accounts
Disable swap
sudo swapoff -a sudo sed -i '/swap/d' /etc/fstab
Update firmware
sudo fwupdmgr refresh sudo fwupdmgr get-updates sudo fwupdmgr update ```
Disable Tracker (GNOME indexer)
```bash
Mask and stop Tracker 3 services
systemctl --user mask tracker-extract-3.service tracker-miner-fs-3.service \ tracker-miner-rss-3.service tracker-writeback-3.service \ tracker-xdg-portal-3.service tracker-miner-fs-control-3.service
systemctl --user stop tracker-extract-3.service tracker-miner-fs-3.service \ tracker-miner-rss-3.service tracker-writeback-3.service \ tracker-xdg-portal-3.service tracker-miner-fs-control-3.service
Reset Tracker database
tracker3 reset -s -r
Clear failed unit status
systemctl --user reset-failed ```
4. SYSTEM STATUS
- Secure Boot: Enabled
- Ubuntu shim bootloader trusted (via Microsoft 3rd Party CA)
- BIOS fully hardened
- Telemetry and file indexing fully disabled
- Snap removed and held
- System minimal, fast, and 100% user-controlled
5. Install packages
```bash
Install base packages
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb sudo apt install -y ./google-chrome-stable_current_amd64.deb sudo apt install -y acpi vim git conntrack socat curl ncdu net-tools direnv make nvme-cli parallel ```
6. Hints
- Use "Manage Chrome profiles" in Chrome to separate personal and work profiles
```bash
Create isolated CLI-only work account
sudo useradd -m -s /bin/bash -U user2 -c "Work" sudo passwd -l user2 # lock direct login
Allow user to switch to work account via sudo
echo "user ALL=(user2) NOPASSWD: /bin/bash" | sudo tee /etc/sudoers.d/work
Add convenience alias
echo "alias work='sudo -u user2 -i'" >> ~/.bashrc source ~/.bashrc
Secure home directories
chmod 0700 /home/user chmod 0700 /home/user2 ```
7. UFW firewall config
```bash sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow in on lo
sudo ufw allow 22/tcp
sudo ufw deny in on tailscale0
sudo ufw allow in on tailscale0 to any port 22 proto tcp
sudo ufw enable sudo ufw status verbose ```
8. Install Tailscale
```bash
IMPORTANT: If restoring from backup or migrating, copy:
/var/lib/tailscale/tailscaled.state
Only when tailscaled.service is NOT running elsewhere under same identity!
curl -fsSL https://tailscale.com/install.sh | sh systemctl status tailscaled tailscale status ```