Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier than it should be

Lenovo's laptops caused a disturbance last week after a security engineer found himself unable to boot up a copy of Linux due to restrictions that are apparently insisted upon by Microsoft.

Matthew Garrett, an information security architect, was keen to check out Lenovo's latest Pluton-equipped wares but found himself unable to boot Linux from a USB stick "for no obvious reason."

Pluton is Microsoft's latest effort to secure PCs and can act as both a Trusted Platform Module (TPM) or as a non-TPM security co-processor. It emerged in 2020, with Microsoft saying Intel, AMD, and Qualcomm were all onboard. While Acer launched tech with the kit in May, Dell is not keen and Lenovo started the year saying it wouldn't be turned on by default.

A Microsoft spokesperson told The Register in January that using the tech with Linux was "an unsupported scenario."

Garrett was keen to examine a functional implementation of the co-processor, but upon unboxing a new Z13 found himself unable to boot into anything but the pre-installed Windows.

Historically, many Linux distributions have worked with Secure Boot to ensure that the boot loader and kernel have not been tampered with.

Lenovo's support documentation [PDF] explains it thus: "Linux distributions use a Microsoft signed 'shim' executable that is then able to verify the subsequent boot stages that have been signed with the distribution key. The Microsoft signed shim is signed using the 'Microsoft 3rd Party UEFI Certificate', and this certificate is stored in the BIOS database."

So far so good. However, for Secured Core PCs "it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default," according to Lenovo.

• PC sales take double-digit tumble in Q2 amid economic downturn
• Gartner predicts 9.5% drop in PC shipments
• Will Lenovo ever think beyond hardware?
• Lenovo reveals small but mighty desktop workstation

Therefore if your PC ships with Windows pre-installed, there is an additional step to be taken to install Linux (or boot into something else) involving a jump into the BIOS setup to enable the Microsoft 3rd Party UEFI Certificate once again.

Unsurprisingly, Garrett was unimpressed, noting: "The entire architecture of UEFI secure boot is that it allows for security without compromising user choice of OS. Restricting boot to Windows by default provides no security benefit but makes it harder for people to run the OS they want to. Please fix it."

Lenovo veteran Mark Pearson weighed into the discussion, remarking of the certificate: "We should have it enabled for our Linux preloaded systems – but it isn't for the Windows preload.

"I don't think this is a Lenovo specific thing, maybe we're the first out with secured-core?"

Maybe. Or maybe other vendors might have a slightly different take on matters.

Just as a counter-example, we advocated very strongly to keep the 3rd party UEFI CA in our default DB for all configs to support customer flexibility. You'll have to figure out who else was in the room for these conversations for yourself... #iwork4dell

— Rick Martinez (@rickmartinez06) July 8, 2022

The Register contacted both Microsoft and Lenovo regarding the Secured-core requirements and will update this piece should either respond. ®