Dell XPS 13 2-in-1 (7390)

The Dell XPS 13 2-in-1 (7390, 2019) is an Intel Ice Lake (10th gen, 10nm lithography) convertible, ultra portable laptop.

Hardware highlights
 * Up to Core i7-1065G7 CPU, 15W TDP (not fanless)
 * Up to 32GB of RAM
 * Up to 1TB NVMe SSD storage
 * Up to a 4K 16:10 aspect ratio screen
 * Convertible form-factor, touchscreen and Wacom Active ES 2.0 Pen support
 * UEFI boot only

Hardware not working

 * Fingerprint reader
 * Camera

Target setup
My personal system boots Gentoo as the only operating system (the included Windows 10 installation was wiped). Using Secure Boot and systemd-boot and full-disk (except ESP) LUKS encryption, with the sway window manager. My keyboard layout is United Kingdom (82-key).

Wifi
Model is Intel (Killer Wireless) AX1650i and requires firmware from linux-firmware.

Touchscreen
In kernels before 5.5, the Linux kernel may crash when loading the `intel-lpss-pci` module. This will disable the touchscreen and pen input. When booting live media, pass the kernel parameter `modprobe.blacklist=intel-lpss-pci`.

The patches to fix this are included in kernel versions after 5.5.0-rc1 and should be released into the stable 5.5.

If you're using sources from git, you can fetch the patches from the mfd tree, ib-mfd-doc-sparc-libdevres-5.5 branch

Wacom
Need to enable CONFIG_WACOM and CONFIG_PINCTRL_ICELAKE to get a Wacom Active ES 2.0 pen to work.

(Almost) Flicker-free boot
Plymouth-9999 supports flicker-free boot, but with a couple of noticeable flickers. Set the plymouth theme to `bgrt`. The `i915.fastboot=1` parameter is not required.

Intel GVT
Currently iGVT-g is not supported by the i915 driver for Ice Lake. Other modes (iGVT-d, iGVT-s) have not been tested.

Secure Boot
efitool's `efi-updatevar` can update the 4 secure boot variables when in setup mode. When in user mode, I copied the public databases onto the ESP and loaded them through the UEFI Setup GUI. Tip: `systemctl reboot --firmware-setup` reboots directly to setup without having to press the Setup key on boot (F2).

OpenSSL engine
Emerge `app-crypt/tpm2-tss-engine` to use the TPM as an OpenSSL engine. To use the tpm resource manager as an unprivileged user, add the user to the `tss` group.

$ openssl engine -t -c tpm2tss $ tpm2tss-genkey myTpmKey.keyfile $ openssl req -engine tpm2tss -keyform engine -new -x509 -nodes -sha256 -days 365 -key myTpmKey.keyfile -out self-signed-cert.crt

Optional configuration
The engine should not require further configuration, but if you need to you can add the following configuration to /etc/ssl/openssl.cnf and modify to taste.

[default] openssl_conf = openssl_init

[openssl_init] engines = engine_section

[engine_section] tpm2tss = tpm2tss_section

[tpm2tss_section] engine_id = tpm2tss dynamic_path = /usr/lib64/engines-1.1/libtpm2tss.so

TOTP measured boot
Emerge `app-crypt/tpm2-totp`. If using dracut and plymouth, you'll want a version greater than 0.2.0 which isn't in the tree.