Thinkpad X1 Carbon G9 – Ubuntu 20.04 – LVM full Encryption install

Review and Installation

This review of installing Ubuntu 20.04 on a generic Thinkpad X1 Carbon Gen9 unit.

My particular unit was a refurbished X1 Carbon G9 model with Windows 10 pre-installed. This unit is also available from Lenovo store with Fedora and Ubuntu pre-installed, but this review shows that Ubuntu seems to run fine on the generic Laptop ordered from the store.


  • Lenovo Type: 20XW003LUS ( X1 Carbon Gen 9 )
  • Core i7-1185G7
  • Display: HD 16:10 ( 1920 x 1200 ) Touch, 400Nits
  • 512GB OPAL disk ( self-encrypting )

Lenovo Store:

Initial Impressions

To preserve the ability to return the unit I ran Ubuntu Live ISO for initial testing without modifying the installed SSD.

A generic USB-c CDROM was able to boot media, however for my testing I used a pre-installed Ventoy USB multi-boot flash drive. See my link below about installing Ventoy and using it for installing ESXi.

For this test, copy Ubuntu 20.04.3 ISO file to the Ventoy media, and setup a 1GB persistence file. Notes on Ventoy install are here, just skip the ESXi part.

Out of the box, nearly everything worked with the Ubuntu 20.04.04 Live ISO except fingerprint reader and hibernation. Both of which have fixes. Specifically the following is working:

  • Function keys for Brightness, Sound volume,etc.
  • Bluetooth
  • Wifi
  • Speakers ( Ubuntu 20.04.3 working, failed on 20.04 base release )
  • Webcam
  • Microphone
  • Suspend ( both Ext and ZFS filesystems )
  • Hibernate (fix required)
BIOS changes

Some items of note for this laptop.

  • Only UEFI boot mode is supported, MBR boot support has been removed from the BIOS.
  • The battery is permanently installed on the motherboard. You must shut off the battery power in the BIOS before changing NVMe disks.
  • The back panel of the laptop is held on with snap-locks around the edges in addition to the 5 screws. It requires some gentle prying from the top sides to release.

To prepare for testing the installation the following changes were made to BIOS.

Enter BIOS on boot by pressing F1 after power-up to get the BIOS screen.

  • Set BIOS initial screen to diagnostics
  • Enable F12 prompt for alternate boot disk selection
  • Disable Secure Boot
  • Disable Touchpad ( for die-hard Thinkpad users that only use Trackpoint )

After these changes I downloaded the latest ubutu-20.04.3-desktop-amd64.iso image and copied it to my VenToy multiboot USB drive.

Note since my Ventoy drive was a year old, I had to upgrade to the latest Ventoy v1.051 release with GPT support as this laptop doesn’t have MBR boot support.

While upgrading Ventoy is normally non-destructive, I also found I had to reformat the Ventoy flash drive from MBR to GPT which require a re-install and that erases any images on the drive. After doing that and disabling Secure boot, F12 during boot was able to select Ventoy and it’s menu allowed Ubuntu Live to boot.


This unit has PCIe 4.0 bus so there are only a few PCIe 4.0 drives on the Market.
I selected the following high-end NVMe drive.

  • Samsung 980 Pro 2TB NVMe drive (OPAL)

This drive has switched from using MLC to TCL ( 2bit to 3bits per cell ), but the 2TB drive endurance is still specified as 1200TBW for the 2TB unit.

Installing Ubuntu with Encrypted LVM

Note: ZFS is still marked experimental. A ZFS install worked but the performance of ZFS on a single disk is still only about 20% of the performance of Ext4 so I’ve switched back to Ext4

During install select the “Advanced” option and Select LVM and encryption. ( full disk )

Reboot and verify disk encryption prompt appears at startup and you can login.

Note on SSD OPAL disk self-Encryption

Many NVMe SSD drives now support OPAL encryption standard. ( Self-encrypting drives )

I briefly tried OPAL encryption with the following:

While this procedure worked is was a bit rough. After a day or two with the unit suspended it would no longer accept the decryption password. The commands to turn off OPAL encryption worked but I still couldn’t access the disk contents. Seems this isn’t quite ready for use, at least on this hardware. I removed OPAL and switched back to LVM on LUKS disk encryption.

Ubuntu Setup

Almost all hardware was recognized and working. I did perform the following tweaks.

Fingerprint Reader

Install the following:

sudo apt install fprintd, libpam-fprintd


Setup fingerprint for user

fprintd-list username
fprintd-list username

Add primary user to group Input

usermod -a -G input username

Lock screen, and verify fingerprint unlocks unit.

Reboot unit and verify fingerprint works for login.

LVM on LUKS resize partitions

This may allow resizing partitions for storing uncrypted volume with VMware VM’s etc.

OpenConnect VPN setup


apt install openconnnect network-manager-openconnect-gnome
add openconnect profile to network-manager, with connect info

Create a shell script to lauchch xfreerdp
xfreerdp /u:username /p:password /v:rdphostname.domain /h:1200 /w:1920

Note other options that seem to work are:

  • /floatbar:show:fullscreen
  • /f (launch fullscreen)
  • /multimon
  • +fonts
  • +wallpaper
  • -themes
  • /microphone
  • /printer
  • /sound:latency:200
  • /orientation:90

Teams Client

sudo dpkg -i teams_1.3.00.16851.amd64.deb

Login username

Power saving
apt install tlp
sudo systemctl start tlp

sudo tlp-stat -b
sudo apt install acpi-call-dkms
sudo tlp-stat -b

sudo add-apt-repository ppa:linuxuprising/apps
sudo apt-get update
sudo apt install tlpui

sudo tlpui ( GUI for tlp )

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s