Microsoft’s Pluton prevents Lenovo ThinkPad laptops with AMD Ryzen 6000 PRO from booting with Linux
The Lenovo Z13 and Z16 laptops announced at CES 2022 this year are among the few featuring AMD Ryzen 6000 PRO series of processors.
Phoronix reports that AMD powered ThinkPad Z13 laptop featuring Ryzen 6000 PRO Zen3+ series has problem booting Linux operating systems. This has been discovered by Matthew Garrett who shared the news on his website.
This laptop is equipped with Lenovo exclusive AMD Ryzen PRO 6860Z processor with built-in Microsoft Pluton security co-processors. This is a dedicated chip that is supposed to increase security for Windows systems by verifying UEFI certificate keys. The problem is that it only trusts Microsoft’s key, not any 3rd party UEFI keys that are used by various Linux distributions.
This essentially means that Lenovo ThinkPad Z13 simply cannot run any Linux system. This laptop ships with Windows 11 by default and while there is no mention of Linux support anywhere, one could also argue that nowhere does it say it cannot boot Linux (and yes we have checked various official specs and press releases).
“This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won’t be able to boot from any third-party external peripherals that are plugged in via Thunderbolt. There’s no security benefit to this. If you want security here you’re paying attention to the values measured into the TPM, and thanks to Microsoft’s own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets. It’s trivial to detect this. Distrusting the 3rd party CA by default doesn’t improve security, it just makes it harder for users to boot alternative operating systems.”
— Matthew Garrett, Security developer at Aurora
Garrett also mentions that this means no support for booting from 3rd party Thunderbolt peripherals. This wouldn’t have been an issue if the embedded Pluton coprocessor would ship as disabled by default. Unfortunately that is not the case.
Although this device has been announced more than half a year ago, we have not seen any reviews that would focus on Linux support. However, this system has only become available a few weeks ago, so there is a chance somebody will still look into this issue.
Source: mjg59 journal via Phoronix