Ubuntu 24.04: Minimal & Secure Setup on ThinkPad X1 Carbon
- 1. BIOS CONFIGURATION (F1 at boot)
- 2. OS INSTALLATION
- 3. POST-INSTALL CONFIGURATION (Ubuntu 24.04)
- 4. SYSTEM STATUS
- 5. Install packages
- 6. Hints
- 7. UFW firewall config
- 8. Install Tailscale
Summary:
A clean, no-nonsense guide to setting up Ubuntu 24.04 on the Lenovo ThinkPad X1 Carbon Gen 13. Covers BIOS hardening, telemetry removal, secure networking, and privacy-focused optimizations — everything you need to turn a factory laptop into a fast, minimal, and fully user-controlled Linux machine.
Last update: June 4th, 2025
1. BIOS CONFIGURATION (F1 at boot)
- Disable: Absolute Persistence Module (non-permanent)
- Clear: Security Chip (TPM), Fingerprint Data
- Disable: Microsoft Pluton Security Processor
- Disable: Lenovo Cloud Services
- Enable: Bottom Cover Tamper Detection
- Set Supervisor Password
- Disable: Always On USB
- Disable: “Allow System Management Password Hardware Reset”
- Reset Secure Boot Keys → Restore Factory Keys
- Leave Secure Boot in “Deployed Mode”
- Enable: “Allow Microsoft 3rd Party UEFI CA”
(After firmware setup, boot Ubuntu USB via F12)
2. OS INSTALLATION
sha256sum ubuntu-24.04.2-desktop-amd64.iso # Verify ISO checksum
- Use
toramboot option (on the vmlinuz kernel line) to load installer into RAM for speed - Install Ubuntu 24.04 as sole OS
- (Temporarily disable Secure Boot if needed, re-enable after)
3. POST-INSTALL CONFIGURATION (Ubuntu 24.04)
# Disable telemetry
sudo ubuntu-report -f send no
sudo systemctl disable --now whoopsie.service whoopsie.path
sudo systemctl disable --now apport.service
sudo apt purge apport
# Disable CUPS (printing system)
for svc in cups.path cups.socket cups.service cups-browsed.service; do
sudo systemctl disable --now "$svc"
done
# Disable LAN discovery/mDNS
sudo systemctl disable --now avahi-daemon.socket avahi-daemon.service
# Remove Snap system completely
snap list | awk 'NR>1 {print $1}' | xargs -r sudo snap remove --purge
sudo apt -y purge snapd
sudo apt-mark hold snapd
# Disable unattended upgrades
sudo dpkg-reconfigure unattended-upgrades
# Remove GNOME online accounts integration
sudo apt purge gnome-online-accounts
# Disable swap
sudo swapoff -a
sudo sed -i '/swap/d' /etc/fstab
# Update firmware
sudo fwupdmgr refresh
sudo fwupdmgr get-updates
sudo fwupdmgr update
Disable Tracker (GNOME indexer)
# Mask and stop Tracker 3 services
systemctl --user mask tracker-extract-3.service tracker-miner-fs-3.service \
tracker-miner-rss-3.service tracker-writeback-3.service \
tracker-xdg-portal-3.service tracker-miner-fs-control-3.service
systemctl --user stop tracker-extract-3.service tracker-miner-fs-3.service \
tracker-miner-rss-3.service tracker-writeback-3.service \
tracker-xdg-portal-3.service tracker-miner-fs-control-3.service
# Reset Tracker database
tracker3 reset -s -r
# Clear failed unit status
systemctl --user reset-failed
4. SYSTEM STATUS
- Secure Boot: Enabled
- Ubuntu shim bootloader trusted (via Microsoft 3rd Party CA)
- BIOS fully hardened
- Telemetry and file indexing fully disabled
- Snap removed and held
- System minimal, fast, and 100% user-controlled
5. Install packages
# Install base packages
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install -y ./google-chrome-stable_current_amd64.deb
sudo apt install -y acpi vim git conntrack socat curl ncdu net-tools direnv make nvme-cli parallel
6. Hints
- Use “Manage Chrome profiles” in Chrome to separate personal and work profiles
# Create isolated CLI-only work account
sudo useradd -m -s /bin/bash -U user2 -c "Work"
sudo passwd -l user2 # lock direct login
# Allow user to switch to work account via sudo
echo "user ALL=(user2) NOPASSWD: /bin/bash" | sudo tee /etc/sudoers.d/work
# Add convenience alias
echo "alias work='sudo -u user2 -i'" >> ~/.bashrc
source ~/.bashrc
# Secure home directories
chmod 0700 /home/user
chmod 0700 /home/user2
7. UFW firewall config
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on lo
## sudo ufw allow 22/tcp
sudo ufw deny in on tailscale0
## sudo ufw allow in on tailscale0 to any port 22 proto tcp
sudo ufw enable
sudo ufw status verbose
8. Install Tailscale
# IMPORTANT: If restoring from backup or migrating, copy:
# /var/lib/tailscale/tailscaled.state
# Only when tailscaled.service is NOT running elsewhere under same identity!
curl -fsSL https://tailscale.com/install.sh | sh
systemctl status tailscaled
tailscale status
No comments yet.
Write a comment