Lenovo presented half a year ago, at CES 2022, laptops ThinkPad Z13 and ThinkPad Z16, which incorporate AMD Ryzen PRO 6000 as processor technology along with dedicated Radeon graphics. So far nothing out of place, but it has recently been discovered that are not able to run Linuxnot even through a live session.
The discovery that ThinkPad Z13 and Z16 laptops are not capable of booting Linux has the signature of Matthew Garrett, a prominent developer and one of the biggest proponents of Secure Boot within Linux. The reason why such computers are unable to run Linux is because of the presence of Microsoft’s own coprocessor, Pluto, which only trusts the Redmond giant’s own UEFI key for Windows 11 and not the third-party one powered by Linux. own company for alternative operating systems (Microsoft 3rd Party UEFI CA key).
In other words, the Microsoft Pluton coprocessor has the configuration or requirement to use only the UEFI Secure Boot key for Windows 11. This means that laptops only work with the default firmware settings and prevent other systems from booting due to marking bootloaders and drivers signed with the third-party key as untrusted. Not even distributions with “good” Secure Boot support like Ubuntu and Fedora pass the filter, and on top of that, in this case, booting from any third-party peripheral connected via Thunderbolt is also prevented.
If one rummages through the official notebook listing on the ThinkPad website, one can find the following statement: “The Z13 and Z16 notebooks are the first in the industry to implement a security processor built into the CPU, which helps eliminate the exposure to threats and prevent physical attacks. This new chip-to-cloud security technology is the result of a partnership between Microsoft and AMD that works together with data encryption and biometric protection as unique as your personal DNA.”
Beyond the issues surrounding biometric authentication, Matthew Garrett is blunt in stating that the preventing the loading of third-party keys does not provide any benefit in terms of security and only serves to put up barriers at the start of alternative operating systems. The developer reminds that “the complete architecture of UEFI Secure Boot is what allows security without compromising the user’s choice of operating system.”
Secure Boot is a feature that has always generated controversy beyond Windows. Some see it as more of a vendor lock than a true security feature, a view that, in at least some cases, was reinforced by the discovery that Ubuntu supported it outside of the specification itself.
Another episode is the Lockdown security module, which ended up being incorporated into Linux after seven years of discussions between Matthew Garrett and Linus Torvalds, creator of the Linux kernel. The reason for that long-running discussion, which also became very angry at times, was largely because Garrett insisted on tying Lockdown to Secure Boot, while Torvalds was opposed because of the possible unforeseen consequences that could carry. In the end the creator of Linux managed to impose his point of view and tying Lockdown to Secure Boot was left as an optional feature.
Aside from the controversy surrounding Linux running on the ThinkPad Z13 and ThinkPad Z16 laptops, there remains the card to “take the axe” and disable root Secure Boot. That should remove the barrier that prevents the startup of alternative operating systems, but who knows what the consequences are on those computers with the Microsoft Pluto coprocessor in the middle, because the signature verification process should no longer be present, but it is possible Linux still won’t boot due to hardware incompatibility.