[personal profile] mjg59
Update: Patches to fix this have been posted

There's a story going round that Lenovo have signed an agreement with Microsoft that prevents installing free operating systems. This is sensationalist, untrue and distracts from a genuine problem.

The background is straightforward. Intel platforms allow the storage to be configured in two different ways - "standard" (normal AHCI on SATA systems, normal NVMe on NVMe systems) or "RAID". "RAID" mode is typically just changing the PCI IDs so that the normal drivers won't bind, ensuring that drivers that support the software RAID mode are used. Intel have not submitted any patches to Linux to support the "RAID" mode.

In this specific case, Lenovo's firmware defaults to "RAID" mode and doesn't allow you to change that. Since Linux has no support for the hardware when configured this way, you can't install Linux (distribution installers will boot, but won't find any storage device to install the OS to).

Why would Lenovo do this? I don't know for sure, but it's potentially related to something I've written about before - recent Intel hardware needs special setup for good power management. The storage driver that Microsoft ship doesn't do that setup. The Intel-provided driver does. "RAID" mode prevents the Microsoft driver from binding and forces the user to use the Intel driver, which means they get the correct power management configuration, battery life is better and the machine doesn't melt.

(Why not offer the option to disable it? A user who does would end up with a machine that doesn't boot, and if they managed to figure that out they'd have worse power management. That increases support costs. For a consumer device, why would you want to? The number of people buying these laptops to run anything other than Windows is miniscule)

Things are somewhat obfuscated due to a statement from a Lenovo rep:This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft. It's unclear what this is meant to mean. Microsoft could be insisting that Signature Edition systems ship in "RAID" mode in order to ensure that users get a good power management experience. Or it could be a misunderstanding regarding UEFI Secure Boot - Microsoft do require that Secure Boot be enabled on all Windows 10 systems, but (a) the user must be able to manage the key database and (b) there are several free operating systems that support UEFI Secure Boot and have appropriate signatures. Neither interpretation indicates that there's a deliberate attempt to prevent users from installing their choice of operating system.

The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred. Rather than be angry at Lenovo, let's put pressure on Intel to provide support for their hardware.

Microsoft's Secure Boot requirements

Date: 2016-09-21 10:27 pm (UTC)
From: (Anonymous)
Thanks a lot for doing this write-up, this clarifies things greatly. After arguing with a friend, I was wondering though where the requirement 'the user must be able to manage the key database' originates. Is this part of the Secure Boot specs or is this only required for Microsoft's Windows certification? Thanks!

Re: Microsoft's Secure Boot requirements

Date: 2016-09-22 02:57 pm (UTC)
From: (Anonymous)
It's part of Microsoft's certification requirements, *for x86 systems*. The requirements for ARM were the exact opposite (they say that the user must *not* be able to change the key), though since barely anyone's doing Windows-on-ARM any more that's becoming increasingly less relevant. The UEFI specification (where Secure Boot is actually defined) doesn't prescribe anything about how it should be set up out of the box in any particular firmware implementation (whether any keys should be pre-loaded, whose they should be if so, whether there should be an interface for changing them, etc.)

Re: Microsoft's Secure Boot requirements

Date: 2016-09-23 04:33 am (UTC)
From: (Anonymous)
Windows on ARM flopped. Nobody is making those systems anymore. So they decided to lock us out of our PCs instead. Not with Secure Boot, but with other means.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags