Lenovo’s latest batch of AMD Thinkpad laptops are unable to boot anything but the Windows operating system by default.
That’s according to well-regarded free software developer Matthew Garrett. He encountered the snafu when trying to boot Linux on the new Lenovo Thinkpad Z13. This (redesigned) model comes with an AMD Rembrandt chip paired with Microsoft Pluton security co-processor.
Spoiler: it didn’t work.
“Trying to boot Linux from a USB stick failed out of the box for no obvious reason, but after further examination the cause became clear – the firmware defaults to not trusting bootloaders or drivers signed with the Microsoft 3rd Party UEFI CA key,” he reports on his blog.
Most mainstream Linux distributions, including Ubuntu and Fedora, make use of Microsoft’s third-party UEFI CA Key for UEFI Secure Boot support. It’s what lets us dual-boot Linux with Windows without disabling secure boot.
Heck, Garrett himself worked on Linux secure boot and UEFI support in Linux. He knows how things should, can, and do work.
Yet despite that key doing its job, Lenovo is choosing to ignore it completely. And, as such Garrett notes: “[using] the default firmware configuration, nothing other than Windows will boot”.
The heavy-handed security restriction also means users cannot boot from connected Thunderbolt peripherals, such as an external hard drive.
‘There’s No Security Benefit’
The worst of this whole issue is how unnecessary it is, as Garrett points:
“The entire architecture of UEFI secure boot is that it allows for security without compromising user choice of OS. Restricting boot to Windows by default provides no security benefit but makes it harder for people to run the OS they want to.”
There is some good(ish) news.
Not being able to boot anything other than Windows by default does not mean the same as not being able boot anything other than Windows at all. There is no real need for the firmware set-up in Lenovo’s Thinkpad Z13 to be this way but it should possible to disable Secure Boot in the BIOS.
Garrett also reasons that it may be possible to manually import the required signing key pair’s public key.
But the contention here is: this shouldn’t be necessary. Lenovo is actively making it hard to boot anything other than Windows for …no apparent reason.
And how widespread is this issue? Does it also affect other devices? That’ll become clearer as more (Linux-minded) folks get their hands on devices with this hardware configuration to find out.
Still, if you are thinking of nabbing this notebook – or perhaps any other with a Pluton security chip – it’s a story you’ll want to keep an eye on.