Phew, You CAN Use Secure Boot Linux on New Lenovo ThinkPads

Word that Linux users are unable to boot their favourite distros “out-of-the-box” on Lenovo’s latest batch of AMD ThinkPad laptops has left many —quite rightly— confused and angry.

However, it seems all hope is not lost.

It is the case that Lenovo no longer allows buyers of its latest laptops to secure boot any major Linux from a USB out-of-the-box despite being signed with Microsoft’s third-party UEFI CA.

But there is an option to do it.

And it doesn’t require disabling secure boot.

As Bill aka “TheGeez” notes on his blog: “the ability to boot something that uses [Microsoft’s] 3rd party certs has been split out in the secure boot options. Enter BIOS, switch that toggle, and Bob’s your uncle.”

a screenshot of the X1 Yoga BIOS security panel and the new 3rd Party UEFI CA setting
Dig deep and you find this

Now, I can’t confirm whether Bob is indeed your uncle but I can relay word that this additional effort does appear to allow you to secure boot major Linux distros on a raft of modern ThinkPads (ones that otherwise inhibit the ability out-of-the-box).

Which is good — but it doesn’t detract from the fact that this extra hurdle …is unfair and unnecessary.

For their part Lenovo intimate that it is “…a Microsoft requirement for the 3rd Party Certificate to be disabled by default” in 2022.

This is despite, as esteemed Linux dev Matthew Garrett points out, the third-party signing certificate system in place being created alongside/with/by Microsoft and the wider computing community.

To turn around and effectively demote it without any sort of consultation or indication to stakeholders?

Not cool.

Still, if you’re shopping for a modern ThinkPad and you do want to run Linux, now you know you can…

…Until Microsoft’s next unannounced change, anyway.