AMD Ryzen PRO 6860Z powered Lenovo Z13 notebook with Microsoft Pluton co-processor can’t boot Linux operating systems

Published: Jul 8th 2022, 11:18 GMT   Comments

Microsoft’s Pluton prevents Lenovo ThinkPad laptops with AMD Ryzen 6000 PRO from booting with Linux

The Lenovo Z13 and Z16 laptops announced at CES 2022 this year are among the few featuring AMD Ryzen 6000 PRO series of processors. 

Phoronix reports that AMD powered ThinkPad Z13 laptop featuring Ryzen 6000 PRO Zen3+ series has problem booting Linux operating systems. This has been discovered by Matthew Garrett who shared the news on his website.

This laptop is equipped with Lenovo exclusive AMD Ryzen PRO 6860Z processor with built-in Microsoft Pluton security co-processors. This is a dedicated chip that is supposed to increase security for Windows systems by verifying UEFI certificate keys. The problem is that it only trusts Microsoft’s key, not any 3rd party UEFI keys that are used by various Linux distributions.

This essentially means that Lenovo ThinkPad Z13 simply cannot run any Linux system. This laptop ships with Windows 11 by default and while there is no mention of Linux support anywhere, one could also argue that nowhere does it say it cannot boot Linux (and yes we have checked various official specs and press releases).

“This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won’t be able to boot from any third-party external peripherals that are plugged in via Thunderbolt. There’s no security benefit to this. If you want security here you’re paying attention to the values measured into the TPM, and thanks to Microsoft’s own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets. It’s trivial to detect this. Distrusting the 3rd party CA by default doesn’t improve security, it just makes it harder for users to boot alternative operating systems.”

— Matthew Garrett, Security developer at Aurora

Garrett also mentions that this means no support for booting from 3rd party Thunderbolt peripherals. This wouldn’t have been an issue if the embedded Pluton coprocessor would ship as disabled by default. Unfortunately that is not the case.

Although this device has been announced more than half a year ago, we have not seen any reviews that would focus on Linux support. However, this system has only become available a few weeks ago, so there is a chance somebody will still look into this issue.

Lenovo ThinkPad Z13 on security, Source: Lenovo

Source: mjg59 journal via Phoronix




Comment Policy
  1. Comments must be written in English and should not exceed 1000 characters.
  2. Comments deemed to be spam or solely promotional in nature will be deleted. Including a link to relevant content is permitted, but comments should be relevant to the post topic. Discussions about politics are not allowed on this website.
  3. Comments and usernames containing language or concepts that could be deemed offensive will be deleted.
  4. Comments complaining about the post subject or its source will be removed.
  5. A failure to comply with these rules will result in a warning and, in extreme cases, a ban. In addition, please note that comments that attack or harass an individual directly will result in a ban without warning.
  6. VideoCardz has never been sponsored by AMD, Intel, or NVIDIA. Users claiming otherwise will be banned.
  7. VideoCardz Moderating Team reserves the right to edit or delete any comments submitted to the site without notice.
  8. If you have any questions about the commenting policy, please let us know through the Contact Page.
Hide Comment Policy
Comments