AMD Ryzen PRO 6860Z powered Lenovo Z13 notebook with Microsoft Pluton co-processor can't boot Linux operating systems
Phoronix reports that AMD powered ThinkPad Z13 laptop featuring Ryzen 6000 PRO Zen3+ series has problem booting Linux operating systems. This has been discovered by Matthew Garrett who shared the news on his website.
This laptop is equipped with Lenovo exclusive AMD Ryzen PRO 6860Z processor with built-in Microsoft Pluton security co-processors. This is a dedicated chip that is supposed to increase security for Windows systems by verifying UEFI certificate keys. The problem is that it only trusts Microsoft's key, not any 3rd party UEFI keys that are used by various Linux distributions.
This essentially means that Lenovo ThinkPad Z13 simply cannot run any Linux system. This laptop ships with Windows 11 by default and while there is no mention of Linux support anywhere, one could also argue that nowhere does it say it cannot boot Linux (and yes we have checked various official specs and press releases).
(Score: 5, Insightful) by dalek on Monday July 11 2022, @05:15AM (2 children)
I only agree to a point. It's not as big of a story as if Linux couldn't be installed on these laptops. But it's still a story.
Here's a somewhat analogous situation. I have an Samsung phone that ships with Android and Google Play Services. By default, third party app stores (meaning not Google and Samsung) are turned off. Now, I can certainly go into the settings and allow apps to be installed from other sources. However, the page to enable this setting contains a warning that doing so is a security risk. From a technical standpoint, I can certainly install these apps. But disabling third party app stores by default and displaying the warning is likely to discourage some users who would interpret the message to mean that enabling any third party app store inherently makes their phone less secure. The message that I see on my current phone makes no distinction between enabling F-Droid versus enabling some random sketchy source of apps.
In this case, I expect that many users never look at the BIOS setup or change any settings in there. Accessing the BIOS setup at boot time might also means disabling Windows from fast booting, which is an extra step that's not described on that document. At least on Windows 10, fast boot is a recommended option, which discourages users from disabling it. Users are conditioned to believe that changing system settings is potentially dangerous, and that they probably shouldn't do so.
This definitely isn't a hard barrier to installing Linux. But it is a soft barrier than will probably discourage some users from installing Linux when they otherwise might give it a try. Users like you and me may be able to easily enable third party UEFI keys, but I don't want Linux limited to users who are willing to change settings in the BIOS setup. Even though this is only a soft barrier, I believe it is a story.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest just whinge about SN.
(Score: 5, Interesting) by drussell on Monday July 11 2022, @12:26PM
It isn't just "these" laptops, though.
ANY and ALL PC models from any manufacturer that are sold now with Windows pre-installed which wish to have the "Secured-core PCs" certification will have the 3rd party certs disabled when shipped.
As long as the option is there to disable the restriction, I don't see what the problem is.
The certs are already loaded on the machine. If you want to boot to Linux, you need to disable the silly Microsoft Windows-only "security seal" but as long as the option is actually there to do that, the certs required to secure-boot Linux or other OSs, what's the issue?
Sure, if you work for a bank or something and they supply you a laptop for which they won't give you access to the UEFI password to disable it, you won't be able to even boot Linux from a USB stick but that is the whole point of the bank you work for locking down their computer. Why would that be an issue?
(Score: 2) by drussell on Monday July 11 2022, @12:37PM
Usually you'd have to go in there anyway to enable booting from a USB stick, either to boot a live-distro or to boot your install media if you're doing a permanent installation.
Most machines today won't boot from anything except the internal hard disk by default out-of-the-box, which I would think is generally a good thing given the amount of rogue crap floating around on USB devices.