At CES 2022 earlier this year, AMD announced that its Ryzen 6000 Rembrandt CPUs were the first in the industry to pack Microsoft Pluton support. Alongside that, Lenovo also announced its new ThinkPad Z13 and Z16 notebooks to feature Pluton support. These new ThinkPads would be powered by a special Ryzen™ 7 PRO 6860Z CPU.
Microsoft Pluton is a security co-processor for Windows PCs which the Redmond company first introduced back in 2020. Alongside TPM, Pluton is devised to enhance the security of a Windows system.
Earlier today, Matthew Garrett, Information Security architect on Linux, discovered something interesting about the new Lenovo ThinkPads with Pluton. Garrett managed to get their hands on a ThinkPad Z13 and found that the device was unable to boot Linux using a USB.
From initial investigation, it was concluded that Pluton, due to Secure Boot, is set up in a way to only accept Windows bootloaders and drivers, while refusing to run anything non-Windows. Linux and its distributions utilize the third party Microsoft UEFI Certificate Authority (CA) for Secure Booting and it looks like Pluton will reject anything of that sort. Here's what Matthew Garrett writes in his blog post:
I finally managed to get hold of a Thinkpad Z13 to examine a functional implementation of Microsoft's Pluton security co-processor. Trying to boot Linux from a USB stick failed out of the box for no obvious reason, but after further examination the cause became clear - the firmware defaults to not trusting bootloaders or drivers signed with the Microsoft 3rd Party UEFI CA key. This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt.
Lenovo, in a document (PDF), confirms this is the case, that starting in 2022, the third party certificates are disabled by default as recommended by Microsoft for a Secure Boot PC. It notes:
Linux distributions use a Microsoft signed ‘shim’ executable that is then able to verify the subsequent boot stages - that have been signed with the distribution key. The Microsoft signed shim is signed using the “Microsoft 3rd Party UEFI Certificate”, and this certificate is stored in the BIOS database. Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default.
There is a silver lining though as folks who wish to run Linux on a Lenovo laptop with Secure Boot can do so by enabling the “Allow Microsoft 3rd Party UEFI CA” option in the BIOS. Here are the steps:
- . Boot into the BIOS setup menu. Reboot your PC and when the “To interrupt normal startup, press Enter” message is displayed press the F1 key
- In the BIOS menu select the “Security” option and the “Secure Boot” sub-menu. Toggle the “Allow Microsoft 3rd party UEFI CA” to be “On”
- Press F10 to save and reboot
Rather interestingly however, Lenovo had stated earlier that Pluton would be disabled by default in its 2022 ThinkPad models, which also includes the Z13 variant here. We wonder if this decision may have had anything to do with the stringent Microsoft requirement for rejecting 3rd Party UEFI keys mentioned above.