New Lenovo AMD Laptops With Pluton Co-Processor Reportedly Only Boot Windows By Default

Written by Michael Larabel in Hardware on 8 July 2022 at 05:25 AM EDT. 53 Comments
HARDWARE
At least some of Lenovo's new AMD Rembrandt powered laptops with Microsoft Pluton security co-processor are set by default to only trust Microsoft's key and not the Microsoft 3rd Party UEFI CA Key that Linux distributions and others use for UEFI Secure Boot support. Thus by default only Microsoft Windows will boot with the default firmware configuration on some new Lenovo laptops.

With the AMD Ryzen 6000 series mobile CPUs launched earlier this year they feature Microsoft's Pluton security co-processor. While at first Linux security specialist Matthew Garrett was indicating it's not a big deal when AMD Rembrandt with Pluton was announced earlier this year, now that he got his hands on a new Lenovo Z13 AMD laptop he's singing a slightly different tune now that hardware vendors do funny things...

Matthew Garrett discovered that Linux wouldn't boot by default on the new Lenovo ThinkPad Z13 due to it by default not trusting bootloaders/drivers signed with the Microsoft 3rd Party UEFI CA Key. He wrote on his blog, "This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt. There's no security benefit to this. If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets. It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems."


Lenovo Z13


The restriction to only Windows by default is rather silly but at least it sounds like it still can be disabled from within the UEFI BIOS to allowing alternative operating systems to boot. Hopefully Lenovo changes this though as indeed a rather silly move to see from them and their Linux support that had been increasing in recent times.

Finally in the next week or so I'll have my hands on a Lenovo ThinkPad X13 Gen3 AMD with Ryzen 7 PRO 6850U so I'll also be able to look more at AMD Rembrandt support in general under Linux and any Pluton/security oddities there.

Update (11 July): AMD has reached out with their comment on the matter:
AMD supports Ryzen PRO 6000 processors with Linux, including partnering with select Linux distribution vendors on certifications for OEM products. The pluton security co-processor built into our Ryzen 6000 processors does not prohibit platforms from running Linux. Some OEM systems initially shipped with Windows may need to reconfigure their systems to boot Linux. To enable booting Linux on a platform that was shipped with Windows, a user can either:

1. Enable the Microsoft 3rd Party UEFI CA in the UEFI secure boot database.

2. Disable UEFI secure boot

Some OEMs have provided guidance for their specific platforms. A document from Lenovo is posted here.


Update 2 (15 July): I've posted my experience Booting Linux On A Modern AMD Ryzen 6000 Series Laptop / ThinkPad X13 Gen3.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week