The officially official Devuan Forum!

You are not logged in.

#1 2022-07-08 17:56:19

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

New ThinkPads will not boot Linux by default

As of 2022 all new Lenovo machines require that the 3rd party UEFI SecureBoot certificate used by Linux distributions (including De{bi,vu}an) be authorised from the firmware ("BIOS") options. No Linux installer will boot on the machines until this is done.

Reference: https://download.lenovo.com/pccbbs/mobi โ€ฆ re_PCs.pdf

Looks like this is a requirement enforced by Microsoft and so might apply to all manufacturers. Nice.


Brianna Ghey โ€” Rest In Power

Offline

#2 2022-07-08 18:43:05

golinux
Administrator
Registered: 2016-11-25
Posts: 3,316  

Re: New ThinkPads will not boot Linux by default

What else would you expect but the tightening of the noose?

Offline

#3 2022-07-09 06:29:12

yeti
Member
From: I'm not here: U R halucinating
Registered: 2017-02-23
Posts: 334  

Re: New ThinkPads will not boot Linux by default

The only surprise is that this did not happen much earlier!


*๐š›๐š’๐š‹๐š‹๐š’๐š!*

Offline

#4 2022-07-09 08:50:35

Camtaf
Member
Registered: 2019-11-19
Posts: 436  

Re: New ThinkPads will not boot Linux by default

That'll most likely turn more people over to other platforms, like Chromebooks, Apple Arm, & other ARM based like Raspberry Pi, or even to the new RISC machines that seem to be slowly appearing - typical MS tactics to try to keep people locked in!!!

WAKE UP MANUFACTURERS, there are other Operating Systems, better than 'Windows', to put on your equipment.

Last edited by Camtaf (2022-07-09 08:55:46)

Offline

#5 2022-07-09 08:56:18

kyuss
Member
Registered: 2022-06-28
Posts: 21  

Re: New ThinkPads will not boot Linux by default

As an option what about the system76 machines that come preloaded with pop os? I know they are systemd but that can be fixed once the machine is in hand surely?

Offline

#6 2022-07-09 09:11:45

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: New ThinkPads will not boot Linux by default

ThinkPads preinstalled with Linux (or supplied without an operating system, as mine was) will already have 3rd party certificates enabled so I presume that would also be true for other Linux laptop vendors. Thankfully.


Brianna Ghey โ€” Rest In Power

Offline

#7 2022-07-09 09:36:10

kyuss
Member
Registered: 2022-06-28
Posts: 21  

Re: New ThinkPads will not boot Linux by default

But this can be disabled? So i have read. Is it a case of a certain threat model in regards to not having secure boot enabled? And is the option in the bios to disable secure boot no longer available?

Offline

#8 2022-07-09 09:45:29

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: New ThinkPads will not boot Linux by default

kyuss wrote:

But this can be disabled?

The user can disable 3rd party certificates, yes. I've removed all manufacturer-supplied certificates from my machine and just use a single certificate I created.

Some devices (usually discrete GPUs) can require the official Microsoft certificate to be allowed for their pre-installed firmware but the hash can be read from the TPM chip and enrolled into the SecureBoot database. Or so I have read :-)

kyuss wrote:

is the option in the bios to disable secure boot no longer available?

The seems to be present in the PDF to which I linked in the OP. So far.

Last edited by Head_on_a_Stick (2022-07-09 09:47:37)


Brianna Ghey โ€” Rest In Power

Offline

#9 2022-07-09 09:48:44

kyuss
Member
Registered: 2022-06-28
Posts: 21  

Re: New ThinkPads will not boot Linux by default

Head_on_a_Stick wrote:
kyuss wrote:

But this can be disabled?

The user can disable 3rd party certificates, yes. I've removed all manufacturer-supplied certificates from my machine and just use a single certificate I created.

Some devices (usually discrete GPUs) can require the official Microsoft certificate to be allowed for their pre-installed firmware but the hash can be read from the TPM chip and enrolled into the SecureBoot database. Or so I have read :-)

kyuss wrote:

is the option in the bios to disable secure boot no longer available?

The seems to be present in the PDF to which I linked in the OP. So far.

Where can i read/learn about user created certificates, what would be the best source in your opinion?

Offline

#10 2022-07-09 09:50:23

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: New ThinkPads will not boot Linux by default


Brianna Ghey โ€” Rest In Power

Offline

Board footer