AMD Ryzen PRO 6860Z powered Lenovo Z13 notebook with Microsoft Pluton co-processor can't boot Linux operating systems
Phoronix reports that AMD powered ThinkPad Z13 laptop featuring Ryzen 6000 PRO Zen3+ series has problem booting Linux operating systems. This has been discovered by Matthew Garrett who shared the news on his website.
This laptop is equipped with Lenovo exclusive AMD Ryzen PRO 6860Z processor with built-in Microsoft Pluton security co-processors. This is a dedicated chip that is supposed to increase security for Windows systems by verifying UEFI certificate keys. The problem is that it only trusts Microsoft's key, not any 3rd party UEFI keys that are used by various Linux distributions.
This essentially means that Lenovo ThinkPad Z13 simply cannot run any Linux system. This laptop ships with Windows 11 by default and while there is no mention of Linux support anywhere, one could also argue that nowhere does it say it cannot boot Linux (and yes we have checked various official specs and press releases).
(Score: 2, Insightful) by sgleysti on Monday July 11 2022, @01:48AM (1 child)
I'm sure Richard Stallman is gonna have some words to say about this one.
(Score: 3, Informative) by Anonymous Coward on Monday July 11 2022, @02:42AM
Words that almost nobody will hear or read because he got cancelled. No more tech press articles amplifying his blog posts, no more talks at Microsoft.
(Score: 3, Funny) by drussell on Monday July 11 2022, @02:21AM
Why would anyone want to run Linux on the bare hardware when they can use WSL under glorious Windows?!
(Score: 4, Informative) by drussell on Monday July 11 2022, @02:35AM (10 children)
Supposedly, according to a comment on Matthew Garrett's site, you just have to go into the BIOS and enable the "3rd-party UEFI keys" option but you can apparently leave secure boot enabled if you wish. Supposedly.
(Score: 5, Interesting) by drussell on Monday July 11 2022, @02:42AM (9 children)
This seems authoritative:
They're also even supposedly going to have a "ships-with-Linux-preinstalled" model of the Z13 (obviously the keys will be enabled as-shipped on these variants,) but supposedly they intend for it to be a "Linux certified and supported platform."
This might be a complete non-story...
(Score: 5, Touché) by HiThere on Monday July 11 2022, @02:55AM (5 children)
It's not a non-story if you'd been thinking of buying one.
(Score: 2) by drussell on Monday July 11 2022, @12:34PM (4 children)
In what way?
You thought you would not be able to use Linux on a Z13?
That isn't true. It works fine. Even with Secure Boot enabled.
(Score: 2) by HiThere on Monday July 11 2022, @01:08PM (3 children)
I don't like having to fight with my system to get it to work. If they have it set up so that I need to jump through extra hoops, I'll look elsewhere.
(Score: 3, Insightful) by drussell on Monday July 11 2022, @01:19PM (2 children)
Just buy the model pre-loaded with Linux then, if you don't want to "jump through the hoops" of installing it yourself.
It will have the 3rd-party certs enabled out-of the box and some sort of Linux distro pre-installed.
(Score: 2) by Gaaark on Monday July 11 2022, @09:26PM (1 child)
The problem is if someone is interested in getting into linux, it's just one more step they have to go through where the "Oh, God, will something go wrong?" factor will crop up and make them hesitate.
Let's say they bought the computer with Windows, but now want to try linux as well:
Try explaining something to someone, remotely, how to get into their bios ("try Tab...maybe F3... errrmmm, how about...."), then get them to where they change the mode and then how to save those changes. It's scary enough for them just doing a partitioning of the hard drive, especially if they don't want to lose their existing data.
MS has forced unnecessary things onto OEM's to try to make a piece of shit operating system not so big a piece of shit. MS says they love linux and open source... I call shenanigans!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Touché) by drussell on Tuesday July 12 2022, @12:54AM
You'll take the time to explain to "that someone" how to go into the BIOS to enable "Boot from USB," yet not explain how to "Enable 3rd-party Secure Boot" while they're in there?!
That's where you choose to draw the line on helpfulness for a noob?!
You think someone should blindly try re-partitioning their hard disk without knowing at least how to go into the BIOS and "Enable 3rd-party CA for Secure Boot?" Really?!
It seems you're now just being disingenuous...
Did you even bother to read the linked Lenovo instructions at:
I don't see how Lenovo could make it any more clear for a noob.
Sure, even other guy, like this bloke that works at Dell doesn't like the default being "disabled" and apparently advocated otherwise, ie:
...but like it or not, it is now a Microsoft requirement for "secure pre-loaded Windows." You're going to see this everywhere.
It's not Lenovo or Dell to blame here, they're at least sometimes, somewhat trying for sane defaults, yet as long as the option is there IN the BIOS by default, I suppose I really don't have a problem with this particular variety of Microsoft shenanigans. For example, it's not nearly as bad as full-on "Restricted Boot", and they do have at least a bit of an argument for trying to secure the boot process somehow given the number of easy rogue exploits, though I do HIGHLY disagree with their particular choice of methods.
Like it or not, you're going to have to expect this going forward, but why not save the wrath for manufacturers who actually don't allow you to boot anything other than Windows? Why single out this model of Lenovo? For clickbait?!
(Score: 5, Insightful) by dalek on Monday July 11 2022, @05:15AM (2 children)
I only agree to a point. It's not as big of a story as if Linux couldn't be installed on these laptops. But it's still a story.
Here's a somewhat analogous situation. I have an Samsung phone that ships with Android and Google Play Services. By default, third party app stores (meaning not Google and Samsung) are turned off. Now, I can certainly go into the settings and allow apps to be installed from other sources. However, the page to enable this setting contains a warning that doing so is a security risk. From a technical standpoint, I can certainly install these apps. But disabling third party app stores by default and displaying the warning is likely to discourage some users who would interpret the message to mean that enabling any third party app store inherently makes their phone less secure. The message that I see on my current phone makes no distinction between enabling F-Droid versus enabling some random sketchy source of apps.
In this case, I expect that many users never look at the BIOS setup or change any settings in there. Accessing the BIOS setup at boot time might also means disabling Windows from fast booting, which is an extra step that's not described on that document. At least on Windows 10, fast boot is a recommended option, which discourages users from disabling it. Users are conditioned to believe that changing system settings is potentially dangerous, and that they probably shouldn't do so.
This definitely isn't a hard barrier to installing Linux. But it is a soft barrier than will probably discourage some users from installing Linux when they otherwise might give it a try. Users like you and me may be able to easily enable third party UEFI keys, but I don't want Linux limited to users who are willing to change settings in the BIOS setup. Even though this is only a soft barrier, I believe it is a story.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest just whinge about SN.
(Score: 5, Interesting) by drussell on Monday July 11 2022, @12:26PM
It isn't just "these" laptops, though.
ANY and ALL PC models from any manufacturer that are sold now with Windows pre-installed which wish to have the "Secured-core PCs" certification will have the 3rd party certs disabled when shipped.
As long as the option is there to disable the restriction, I don't see what the problem is.
The certs are already loaded on the machine. If you want to boot to Linux, you need to disable the silly Microsoft Windows-only "security seal" but as long as the option is actually there to do that, the certs required to secure-boot Linux or other OSs, what's the issue?
Sure, if you work for a bank or something and they supply you a laptop for which they won't give you access to the UEFI password to disable it, you won't be able to even boot Linux from a USB stick but that is the whole point of the bank you work for locking down their computer. Why would that be an issue?
(Score: 2) by drussell on Monday July 11 2022, @12:37PM
Usually you'd have to go in there anyway to enable booting from a USB stick, either to boot a live-distro or to boot your install media if you're doing a permanent installation.
Most machines today won't boot from anything except the internal hard disk by default out-of-the-box, which I would think is generally a good thing given the amount of rogue crap floating around on USB devices.
(Score: 4, Touché) by EJ on Monday July 11 2022, @02:59AM (2 children)
So, the DEFAULT configuration doesn't boot to Linux? Ok. Then change the setting.
This reeks of FUD to me.
(Score: 2) by drussell on Monday July 11 2022, @07:22PM
This doesn't seem to actually have anything to do with "Pluton", the "AMD Ryzen PRO 6860Z", or the "Lenovo Z13" notebook specifically. Furthermore, the assertion that "this essentially means that Lenovo ThinkPad Z13 simply cannot run any Linux system" is demonstrably false.
The requirement to manually turn on "Microsoft 3rd Party UEFI Certificate" support applies to ALL Microsoft "Secured-core specification PCs."
Now, of course you can complain all you wish about the fact that Microsoft is requiring manufacturers of all PCs that come with Windows pre-installed and the "Secured-core PCs" moniker attached, to ship with their Microsoft 3rd Party UEFI Certificate support disabled by default, but it is total FUD to appear to blame Lenovo or AMD since this applies equally to a Dell-branded PC or whatever...
It is certainly highly disingenuous, at best!
(Score: 3, Informative) by drussell on Monday July 11 2022, @07:47PM
... is ALSO demonstrably false!
They certainly couldn't have tried very hard to find any sort of OS list specification, since the actual specification PDF for the Z13 series clearly states:
Fud, fud, fud, fud, FUD!
(Score: 3, Interesting) by ledow on Monday July 11 2022, @10:21AM (3 children)
Was only ever a matter of time.
It started when Microsoft ended up having to sign all Linux bootloader keys with their key for anything to work, and it was always going to be a problem from that point onwards - through manufacturer apathy, if not malicious design.
Fortunately the Windows ecosystem is getting ever-more irrelevant, and I'm literally converting MS PCs to Chromebook Flex machines as we speak (because even the users say that they only need a browser nowadays, and that it's SO MUCH FASTER despite being on identical hardware).
(Score: 0) by Anonymous Coward on Monday July 11 2022, @11:22AM
I heard someone complain that Android apps aren't supported on Chrome OS Flex. Is that a beta thing or a Google control freak limitation?
Otherwise, Chrome OS Flex seems like a great way to get lots of RAM since all Chromebooks on the market use soldered. I would like to know how well it handles weird configs like 4 GB soldered LPPDR4 + 32 GB SO-DIMM in empty slot.
(Score: 2) by hendrikboom on Monday July 11 2022, @09:07PM (1 child)
What is Chromebook FLEX?
A search found me a lot of advertisements but little information.
(Score: 2) by ledow on Tuesday July 12 2022, @09:09AM
ChromeOS Flex, my error.
It's basically ChromeOS, but made to run on ordinary PCs replacing their OS.
Free, but you have to create an account to download it. It also works if you want to enterprise manage it with a normal Chromebook management licence, but that's not required for home use.
(Score: 3, Insightful) by Freeman on Monday July 11 2022, @03:26PM
This seems like just another way to make it difficult to run anything, but Windows. Maybe we can look forward to an EU/UK lawsuit and/or fine? One can only hope.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"