A Microsoft coprocessor prevents Linux from booting on ThinkPad

Lenovo introduced the ThinkPad Z13 and ThinkPad Z16 notebooks at CES 2022 half a year ago, utilizing AMD Ryzen PRO 6000 processing technology and discrete Radeon graphics. So far, nothing out of the ordinary, however, it was just revealed that they are unable to operate Linux, even in a live session.

Jul 21, 2022 - 10:23
 36
A Microsoft coprocessor prevents Linux from booting on ThinkPad

The finding that the ThinkPad Z13 and Z16 laptops are incapable of booting Linux bears the signature of Matthew Garrett, a well-known developer and one of the most vocal supporters of Secure Boot in Linux. The existence of Microsoft's own coprocessor, Pluto, on such PCs prevents them from running Linux because it only trusts the Redmond giant's own UEFI key for Windows 11 rather than the third-party one powered by Linux (Microsoft 3rd Party UEFI CA key).

In other words, the Microsoft Pluton coprocessor is programmed to use only the UEFI Secure Boot key for Windows 11. This implies that laptops only use the default firmware settings and prohibit other systems from booting because bootloaders and drivers signed with the third-party key are marked as untrusted. Even distributions with "excellent" Secure Boot support, such as Ubuntu and Fedora, fail the filter, and booting from any third-party peripheral connected via Thunderbolt is also forbidden in this instance.

If one looks through the official laptop listing on the ThinkPad website, one will find the following statement: "The Z13 and Z16 notebooks are the first in the industry to deploy a security processor embedded into the CPU, which helps eliminate threat exposure and prevent physical attacks." This new chip-to-cloud security technology is the result of a collaboration between Microsoft and AMD, and it works with data encryption and biometric protection as personal as your DNA."

Aside from the issues surrounding biometric authentication, Matthew Garrett is adamant that restricting the loading of third-party keys provides no value in terms of security and merely serves to place barriers at the beginning of OS system alternatives. According to the developer, "the entire architecture of UEFI Secure Boot is what provides security without compromising the user's choice of the operating system."

Beyond Windows, Secure Boot has always been a source of contention. Some regard it as more of a vendor lock than a legitimate security feature, a viewpoint that was confirmed in at least some situations by the finding that Ubuntu supported it outside of the specification itself.

Another example is the Lockdown security module, which was introduced into Linux after seven years of discussions between Matthew Garrett and Linus Torvalds, the Linux kernel's developer. The reason for the lengthy debate, which grew heated at times, was partly because Garrett insisted on linking Lockdown to Secure Boot, while Torvalds was opposed due to the potentially disastrous repercussions. Finally, the Linux founder was able to impose his point of view, and connecting Lockdown to Secure Boot was left as an optional feature.

Aside from the debate over running Linux on ThinkPad Z13 and Z16 notebooks, there is still the option to disable root Secure Boot. That should remove the barrier that prevents alternative operating systems from booting, but who knows what the consequences are on computers with the Microsoft Pluto coprocessor in the middle because the signature verification process should no longer be present, but Linux may still fail to boot due to hardware incompatibility.

Post by Bryan C.