[personal profile] mjg59
A (well, now former) coworker let me know about a problem he was having with a Lenovo Thinkcentre M92p. It booted Fedora UEFI install media fine, but after an apparently successful installation refused to boot. UEFI installs on Windows worked perfectly. Secure Boot was quickly ruled out, but this could still have been a number of things. The most interesting observation was that the Fedora boot option didn't appear in the firmware boot menu at all, but Windows did. We spent a little while comparing the variable contents, gradually ruling out potential issues - Linux was writing an entry that had an extra 6 bytes in a structure, for instance[1], and a sufficiently paranoid firmware implementation may have been tripping up on that. Fixing that didn't help, though. Finally we tried just taking the Windows entry and changing the descriptive string. And it broke.

Every UEFI boot entry has a descriptive string. This is used by the firmware when it's presenting a menu to users - instead of "Hard drive 0" and "USB drive 3", the firmware can list "Windows Boot Manager" and "Fedora Linux". There's no reason at all for the firmware to be parsing these strings. But the evidence seemed pretty strong - given two identical boot entries, one saying "Windows Boot Manager" and one not, only the first would work. At this point I downloaded a copy of the firmware and started poking at it. Turns out that yes, actually, there is a function that compares the descriptive string against "Windows Boot Manager" and appears to return an error if it doesn't match. What's stranger is that it also checks for "Red Hat Enterprise Linux" and lets that one work as well.

This is, obviously, bizarre. A vendor appears to have actually written additional code to check whether an OS claims to be Windows before it'll let it boot. Someone then presumably tested booting RHEL on it and discovered that it didn't work. Rather than take out that check, they then addded another check to let RHEL boot as well. We haven't yet verified whether this is an absolute string match or whether a prefix of "Red Hat Enterprise Linux" is sufficient, and further examination of the code may reveal further workarounds. For now, if you want to run Fedora[2] on these systems you're probably best off changing the firmware to perform a legacy boot.

[1] src/include/efi.h: uint8_t padding[6]; /* Emperically needed */, says the efibootmgr source code. Unhelpful.
[2] Or Ubuntu, or Suse, or…
From: [identity profile] https://www.google.com/accounts/o8/id?id=AItOawk2y7Dtgp-Qx3hq7GJI_X-deTulE8Evbp4
This issue looks like an innocent misfeature, but not all Lenovo's firmware quirks are.

They also have a WiFi/3G card whitelist that stops you using non-Lenovo cards. When pressed they'll claim that the FCC makes them do this. When you point out that (a) you don't live in the US and what the FCC says doesn't matter; and (b) they've never cited the actual regulation in question, they'll change their story to say that "regulators" around the world make them.

Oddly, those same regulations appear to also affect HP, but not Dell or Acer.

They don't disclose their hardware lockout on their web site, sales documentation, etc.

I wrote a bit of a rant about this when it bit me a while ago. On the upside they replaced my 3G card free of charge with a Lenovo one; on the flip side, they still haven't fixed their website and the new card doesn't work as well as my old one did.

They really shouldn't be able to sell machines as "Mobile Broadband Ready" when they mean "Lenovo Mobile Broadband Card ready (approved models only, machine will fail to POST with non-approved card installed)".

Blog post with details, quotes from Lenovo emails, quotes from sales chat, etc (http://blog.ringerc.id.au/2012/06/lenovo-sales-and-support-reps-dont-get.html).

I'm about to file an ACC compliant, as I've given them long enough. Anyone else bitten by this, please file consumer protection complaints in your respective countries.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags