Dev1 Galaxy Forum / New ThinkPads will not boot Linux by default

Re: New ThinkPads will not boot Linux by default

dummy@example.com (Head_on_a_Stick) — Sat, 09 Jul 2022 09:50:23 +0000

https://www.rodsbooks.com/efi-bootloade … ng-sb.html

Re: New ThinkPads will not boot Linux by default

dummy@example.com (kyuss) — Sat, 09 Jul 2022 09:48:44 +0000

Head_on_a_Stick wrote:

kyuss wrote:
But this can be disabled?
The user can disable 3rd party certificates, yes. I've removed all manufacturer-supplied certificates from my machine and just use a single certificate I created.
Some devices (usually discrete GPUs) can require the official Microsoft certificate to be allowed for their pre-installed firmware but the hash can be read from the TPM chip and enrolled into the SecureBoot database. Or so I have read :-)
kyuss wrote:
is the option in the bios to disable secure boot no longer available?
The seems to be present in the PDF to which I linked in the OP. So far.

Where can i read/learn about user created certificates, what would be the best source in your opinion?

Re: New ThinkPads will not boot Linux by default

dummy@example.com (Head_on_a_Stick) — Sat, 09 Jul 2022 09:45:29 +0000

kyuss wrote:

But this can be disabled?

The user can disable 3rd party certificates, yes. I've removed all manufacturer-supplied certificates from my machine and just use a single certificate I created.

Some devices (usually discrete GPUs) can require the official Microsoft certificate to be allowed for their pre-installed firmware but the hash can be read from the TPM chip and enrolled into the SecureBoot database. Or so I have read :-)

kyuss wrote:

is the option in the bios to disable secure boot no longer available?

The seems to be present in the PDF to which I linked in the OP. So far.

Re: New ThinkPads will not boot Linux by default

dummy@example.com (kyuss) — Sat, 09 Jul 2022 09:36:10 +0000

But this can be disabled? So i have read. Is it a case of a certain threat model in regards to not having secure boot enabled? And is the option in the bios to disable secure boot no longer available?

Re: New ThinkPads will not boot Linux by default

dummy@example.com (Head_on_a_Stick) — Sat, 09 Jul 2022 09:11:45 +0000

ThinkPads preinstalled with Linux (or supplied without an operating system, as mine was) will already have 3rd party certificates enabled so I presume that would also be true for other Linux laptop vendors. Thankfully.

Re: New ThinkPads will not boot Linux by default

dummy@example.com (kyuss) — Sat, 09 Jul 2022 08:56:18 +0000

As an option what about the system76 machines that come preloaded with pop os? I know they are systemd but that can be fixed once the machine is in hand surely?

Re: New ThinkPads will not boot Linux by default

dummy@example.com (Camtaf) — Sat, 09 Jul 2022 08:50:35 +0000

That'll most likely turn more people over to other platforms, like Chromebooks, Apple Arm, & other ARM based like Raspberry Pi, or even to the new RISC machines that seem to be slowly appearing - typical MS tactics to try to keep people locked in!!!

WAKE UP MANUFACTURERS, there are other Operating Systems, better than 'Windows', to put on your equipment.

Re: New ThinkPads will not boot Linux by default

dummy@example.com (yeti) — Sat, 09 Jul 2022 06:29:12 +0000

The only surprise is that this did not happen much earlier!

Re: New ThinkPads will not boot Linux by default

dummy@example.com (golinux) — Fri, 08 Jul 2022 18:43:05 +0000

What else would you expect but the tightening of the noose?

New ThinkPads will not boot Linux by default

dummy@example.com (Head_on_a_Stick) — Fri, 08 Jul 2022 17:56:19 +0000

As of 2022 all new Lenovo machines require that the 3rd party UEFI SecureBoot certificate used by Linux distributions (including De{bi,vu}an) be authorised from the firmware ("BIOS") options. No Linux installer will boot on the machines until this is done.

Reference: https://download.lenovo.com/pccbbs/mobi … re_PCs.pdf

Looks like this is a requirement enforced by Microsoft and so might apply to all manufacturers. Nice.