Phoronix reports that AMD powered ThinkPad Z13 laptop featuring Ryzen 6000 PRO Zen3+ series has problem booting Linux operating systems. This has been discovered by Matthew Garrett who shared the news on his website.
This laptop is equipped with Lenovo exclusive AMD Ryzen PRO 6860Z processor with built-in Microsoft Pluton security co-processors. This is a dedicated chip that is supposed to increase security for Windows systems by verifying UEFI certificate keys. The problem is that it only trusts Microsoft's key, not any 3rd party UEFI keys that are used by various Linux distributions.
This essentially means that Lenovo ThinkPad Z13 simply cannot run any Linux system. This laptop ships with Windows 11 by default and while there is no mention of Linux support anywhere, one could also argue that nowhere does it say it cannot boot Linux (and yes we have checked various official specs and press releases).
(Score: 4, Informative) by drussell on Monday July 11 2022, @02:35AM (10 children)
Supposedly, according to a comment on Matthew Garrett's site, you just have to go into the BIOS and enable the "3rd-party UEFI keys" option but you can apparently leave secure boot enabled if you wish. Supposedly.
(Score: 5, Interesting) by drussell on Monday July 11 2022, @02:42AM (9 children)
This seems authoritative:
https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf [lenovo.com]
They're also even supposedly going to have a "ships-with-Linux-preinstalled" model of the Z13 (obviously the keys will be enabled as-shipped on these variants,) but supposedly they intend for it to be a "Linux certified and supported platform."
This might be a complete non-story...
(Score: 5, Touché) by HiThere on Monday July 11 2022, @02:55AM (5 children)
It's not a non-story if you'd been thinking of buying one.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by drussell on Monday July 11 2022, @12:34PM (4 children)
In what way?
You thought you would not be able to use Linux on a Z13?
That isn't true. It works fine. Even with Secure Boot enabled.
(Score: 2) by HiThere on Monday July 11 2022, @01:08PM (3 children)
I don't like having to fight with my system to get it to work. If they have it set up so that I need to jump through extra hoops, I'll look elsewhere.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Insightful) by drussell on Monday July 11 2022, @01:19PM (2 children)
Just buy the model pre-loaded with Linux then, if you don't want to "jump through the hoops" of installing it yourself.
It will have the 3rd-party certs enabled out-of the box and some sort of Linux distro pre-installed.
(Score: 2) by Gaaark on Monday July 11 2022, @09:26PM (1 child)
The problem is if someone is interested in getting into linux, it's just one more step they have to go through where the "Oh, God, will something go wrong?" factor will crop up and make them hesitate.
Let's say they bought the computer with Windows, but now want to try linux as well:
Try explaining something to someone, remotely, how to get into their bios ("try Tab...maybe F3... errrmmm, how about...."), then get them to where they change the mode and then how to save those changes. It's scary enough for them just doing a partitioning of the hard drive, especially if they don't want to lose their existing data.
MS has forced unnecessary things onto OEM's to try to make a piece of shit operating system not so big a piece of shit. MS says they love linux and open source... I call shenanigans!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Touché) by drussell on Tuesday July 12 2022, @12:54AM
Oh, sure...
You'll take the time to explain to "that someone" how to go into the BIOS to enable "Boot from USB," yet not explain how to "Enable 3rd-party Secure Boot" while they're in there?!
That's where you choose to draw the line on helpfulness for a noob?!
You think someone should blindly try re-partitioning their hard disk without knowing at least how to go into the BIOS and "Enable 3rd-party CA for Secure Boot?" Really?!
It seems you're now just being disingenuous...
Did you even bother to read the linked Lenovo instructions at:
https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf [lenovo.com]
I don't see how Lenovo could make it any more clear for a noob.
Sure, even other guy, like this bloke that works at Dell doesn't like the default being "disabled" and apparently advocated otherwise, ie:
...but like it or not, it is now a Microsoft requirement for "secure pre-loaded Windows." You're going to see this everywhere.
It's not Lenovo or Dell to blame here, they're at least sometimes, somewhat trying for sane defaults, yet as long as the option is there IN the BIOS by default, I suppose I really don't have a problem with this particular variety of Microsoft shenanigans. For example, it's not nearly as bad as full-on "Restricted Boot", and they do have at least a bit of an argument for trying to secure the boot process somehow given the number of easy rogue exploits, though I do HIGHLY disagree with their particular choice of methods.
Like it or not, you're going to have to expect this going forward, but why not save the wrath for manufacturers who actually don't allow you to boot anything other than Windows? Why single out this model of Lenovo? For clickbait?!
(Score: 5, Insightful) by dalek on Monday July 11 2022, @05:15AM (2 children)
I only agree to a point. It's not as big of a story as if Linux couldn't be installed on these laptops. But it's still a story.
Here's a somewhat analogous situation. I have an Samsung phone that ships with Android and Google Play Services. By default, third party app stores (meaning not Google and Samsung) are turned off. Now, I can certainly go into the settings and allow apps to be installed from other sources. However, the page to enable this setting contains a warning that doing so is a security risk. From a technical standpoint, I can certainly install these apps. But disabling third party app stores by default and displaying the warning is likely to discourage some users who would interpret the message to mean that enabling any third party app store inherently makes their phone less secure. The message that I see on my current phone makes no distinction between enabling F-Droid versus enabling some random sketchy source of apps.
In this case, I expect that many users never look at the BIOS setup or change any settings in there. Accessing the BIOS setup at boot time might also means disabling Windows from fast booting, which is an extra step that's not described on that document. At least on Windows 10, fast boot is a recommended option, which discourages users from disabling it. Users are conditioned to believe that changing system settings is potentially dangerous, and that they probably shouldn't do so.
This definitely isn't a hard barrier to installing Linux. But it is a soft barrier than will probably discourage some users from installing Linux when they otherwise might give it a try. Users like you and me may be able to easily enable third party UEFI keys, but I don't want Linux limited to users who are willing to change settings in the BIOS setup. Even though this is only a soft barrier, I believe it is a story.
(Score: 5, Interesting) by drussell on Monday July 11 2022, @12:26PM
It isn't just "these" laptops, though.
ANY and ALL PC models from any manufacturer that are sold now with Windows pre-installed which wish to have the "Secured-core PCs" certification will have the 3rd party certs disabled when shipped.
As long as the option is there to disable the restriction, I don't see what the problem is.
The certs are already loaded on the machine. If you want to boot to Linux, you need to disable the silly Microsoft Windows-only "security seal" but as long as the option is actually there to do that, the certs required to secure-boot Linux or other OSs, what's the issue?
Sure, if you work for a bank or something and they supply you a laptop for which they won't give you access to the UEFI password to disable it, you won't be able to even boot Linux from a USB stick but that is the whole point of the bank you work for locking down their computer. Why would that be an issue?
(Score: 2) by drussell on Monday July 11 2022, @12:37PM
Usually you'd have to go in there anyway to enable booting from a USB stick, either to boot a live-distro or to boot your install media if you're doing a permanent installation.
Most machines today won't boot from anything except the internal hard disk by default out-of-the-box, which I would think is generally a good thing given the amount of rogue crap floating around on USB devices.