Microsoft aren't forcing Lenovo to block free operating systems

[mjg59]

Update: Patches to fix this have been posted

There's a story going round that Lenovo have signed an agreement with Microsoft that prevents installing free operating systems. This is sensationalist, untrue and distracts from a genuine problem.

The background is straightforward. Intel platforms allow the storage to be configured in two different ways - "standard" (normal AHCI on SATA systems, normal NVMe on NVMe systems) or "RAID". "RAID" mode is typically just changing the PCI IDs so that the normal drivers won't bind, ensuring that drivers that support the software RAID mode are used. Intel have not submitted any patches to Linux to support the "RAID" mode.

In this specific case, Lenovo's firmware defaults to "RAID" mode and doesn't allow you to change that. Since Linux has no support for the hardware when configured this way, you can't install Linux (distribution installers will boot, but won't find any storage device to install the OS to).

Why would Lenovo do this? I don't know for sure, but it's potentially related to something I've written about before - recent Intel hardware needs special setup for good power management. The storage driver that Microsoft ship doesn't do that setup. The Intel-provided driver does. "RAID" mode prevents the Microsoft driver from binding and forces the user to use the Intel driver, which means they get the correct power management configuration, battery life is better and the machine doesn't melt.

(Why not offer the option to disable it? A user who does would end up with a machine that doesn't boot, and if they managed to figure that out they'd have worse power management. That increases support costs. For a consumer device, why would you want to? The number of people buying these laptops to run anything other than Windows is miniscule)

Things are somewhat obfuscated due to a statement from a Lenovo rep:This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft. It's unclear what this is meant to mean. Microsoft could be insisting that Signature Edition systems ship in "RAID" mode in order to ensure that users get a good power management experience. Or it could be a misunderstanding regarding UEFI Secure Boot - Microsoft do require that Secure Boot be enabled on all Windows 10 systems, but (a) the user must be able to manage the key database and (b) there are several free operating systems that support UEFI Secure Boot and have appropriate signatures. Neither interpretation indicates that there's a deliberate attempt to prevent users from installing their choice of operating system.

The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred. Rather than be angry at Lenovo, let's put pressure on Intel to provide support for their hardware.

Comments

[(Anonymous)]

> Why would Lenovo do this? I don't know for sure, [..]
> [..] due to a statement from a Lenovo rep [..] It's unclear what this is meant to mean. [..]

Thanks for the insight in the mechanics of the problem,
but as you state yourself your explanation of Lenovo's intent
is also just an assumption.
Therefore we can't know for sure the real reason for Lenovo's
actions.

> [..] That increases support costs. For a consumer device, why would you want to? [..]

Then Lenovo should switch to selling bricks. They have even less support costs.

Re: DIY support

[(Anonymous)]

> Cryptographically signed firmwares are an Intel requirement and have been since Sandy/Ivy Bridge. Go look at Dell or HP and you'll find the exact same requirements for UEFI updates.

I wasn't faulting (or singling out) Lenovo for using a cryptographically-signed firmware at all, nor am I suggesting they break this mold as a potential resolution (and believe it or not, I'm well aware that this practice of crypto-signing firmware is pretty ubiquitous, regardless of how "required" or not it actually is).

However, I am faulting Lenovo for locking us out of AHCI mode in their BIOS.

I'm also using the cryptography as strong evidence that users cannot be reasonably expected to "support themselves" in this scenario -- them large semiprimes man, you guys should just factor them yourselves!

> Flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware update.

So you somehow think it's perfectly reasonable to expect users that want to set their RAID controllers to AHCI mode in order to install the operating system of their choice on the hardware that they paid for to have to flash a modified firmware via SPI?!

Some of the most highly skilled software engineers that I know don't even know how to solder...

You also mentioned that "flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware updates." That may be true, but it's not true for the affected Lenovo consumer ultrabooks in question -- Lenovo has already released BIOS updates that can be flashed by end users completely in software.

> Sometimes vendors are careless/lazy and people find other ways to flash modified firmwares.

So now it comes down to the "hail mary" of hoping there is some security hole or backdoor instead and that somebody puts in the time and effort to find it, so that we don't have to resort to chip programming? Ridiculous.

> "Go read about this yourself (free eBook on Intel platform security): www.apress.com/9781430265719"

I appreciate the reference, but it seems a little unrelated to the argument at hand, no? Just curious, did you read all 272 pages yourself?

[(Anonymous)]

I'm sorry that people so high up in the FSF and the Linux world can be so defeatist in their thinking.

In a way, having to listen to "It's our fault for not supporting RAID mode on a system that shouldn't be in RAID mode." or some version of it every time a PC OEM does something bonehead stupid or evil is like listening to a battered woman explain to the police why it's not her abusive boyfriend's fault that he got drunk and bashed her head into the wall.

How far to fake it?

[(Anonymous)]

Is it the case the kernel doesn't have the necessary IDs in place to "bind" the controller in RAID mode and if so couldn't someone who wanted a life of pain add the ids to their custom kernel such that it did bind to the AHCI driver? While you would never be able to read disks formatted with the true RAID format would it at least allow you to talk to the disks?

[(Anonymous)]

The ugly part is this BIOS hack prevents you from reinstalling the microsoft windows.

So users are stuck with whatever lenovo decides to add, and in the past that has included a fair bit of not just crapware, but actually malware which leaves your system vulnerable from attack.

[(Anonymous)]

First of all the RAID mode is useless, there's only a single drive.

Second of all the compatible hardware is supported and included with the laptop.

It's just stupid for lenovo to configure it weirdly, disable the bios and efi setting that would fix it. Potential motivation for this is to prevent users from installing microsoft windows, which would remove whatever malware/crapware they are including to track users and sell the resulting information. Not like malware hasn't been found in lenovo laptops more than once in the past.

Which part is it that is not being understood?

[(Anonymous)]

RAID: Redundant Array of Inexpensive Drives (Disks)

So which part of RAID is it that is not being understood? RAID by definition REQUIRES 2 or more drives/disks. You can not have a RAID set up with out 2 or more. RAID is ment to be/is a way of securing/backing up data on a computer.

Is this single disk/drive computer set up to use RAID? No! So what other purpose could it serve? Other then to "lock" someone, or something out?

So tell me if it is not a "RAID" setup, which by definition it isn't, just what is it? And why if it is not ment to lock out" is it there at all?

Re: DIY support

[(Anonymous)]

Note that on many Lenovo Ultrabooks you cannot flash the SPI yourself as the flash signature verification is burned into the CPU.

Emergent Evil

[(Anonymous)]

I think this is a pattern. I'd call it "Emergent Evil". No evil intentions on anyone's part (at least technically). No signed agreements. But the whole semi-chaotic interaction of thousand actors inveriably results in something evil like this.

I'm convinced the strategists ten floors further up have learnt to steer and use this to their advantage. Plausible deniability included!

complete BS

[(Anonymous)]

Sorry but your article is complete BS.

Lenovo are the biggest PC laptop vendor in the world. Laptops don't have RAID.

Intel support for Linux is generally excellent.

Re: Which part is it that is not being understood?

[teaparty.net]

If I understand mjg59's argument correctly, the issue is not RAID. As you point out, that's not a laptop thing.

The issue is that Intel have not told anybody how to properly-manage power in their hardware; instead, they have released a binary-blob driver for Windows that just does it right. However, for the driver to do things right, Microsoft's driver mustn't bind to the hardware first. The easiest way for Lenovo to achieve this is to put the hardware into RAID mode, and not to let it come out. That means the MS driver examines the hardware, decides it can't deal with it, and ignores it, leaving the Intel driver to come along and claim it.

Presumably the Intel driver is perfectly happy to run in single-disc JBOD mode, but it does it with the right power management. The end result, according to Matthew, is "correct power management configuration, battery life is better and the machine doesn't melt".

I'm not saying it's a good thing, and I don't think Matthew is either. It's just the easiest way for Lenovo to deal with Intel's stupid secret-sauce power management, in a Windows context.

Re: Which part is it that is not being understood?

[(Anonymous)]

Calm down. It's just a way of denoting "not-AHCI".

[(Anonymous)]

The only crapware was a trial copy of Microsoft Office that I uninstalled.

Storm in a teacup

[cowbutt]

"Intel have not submitted any patches to Linux to support the "RAID" mode."

Such patches are unnecessary, as mdadm already supports Intel Rapid Storage Technology (RST - http://www.intel.co.uk/content/www/uk/en/architecture-and-technology/rapid-storage-technology.html ) for simple RAID (e.g. levels 0, 1, 10) arrays, allowing them to be assembled as md or dmraid devices under Linux.

However, it would appear that the version of mdadm in shipping versions of Ubuntu (at least - maybe other distros too) doesn't support the Smart Response Technology (SRT - http://www.intel.com/content/www/us/en/architecture-and-technology/smart-response-technology.html ) feature that's a part of RST and is used by Lenovo to build a hybrid one-stripe RAID0 device from the HDD with a cache on the SSD (I'm sure Lenovo have a good reason for not using a SSHD). Dan Williams of Intel submitted a series of patches to mdadm to support SRT back in April 2014: https://marc.info/?l=linux-raid&r=1&b=201404&w=2 . Perhaps now there's shipping hardware that requires them, there'll be the impetus for distro vendors to get them integrated into mdadm, and their auto-detection in their installers to use the functionality provided sanely.

Re: Storm in a teacup

[(Anonymous)]

I should add that mdadm is not present in Ubuntu live images by default - one has to pull it in by issuing "sudo apt[-get] install mdadm". BTW, I don't know if mdadm would detect the RAID controller/disk immediately upon installation, or it would require a reboot. In the latter case you may wish to use a USB key with enough spare room to save the system status and reboot. I'd use UNetBootin to prepare such a USB key.

The main issue here is, a user who doesn't even see a disk, probably wouldn't know to go as far as installing mdadm. IMHO, given the broadening diffusion of NVMe and RAID devices, Debian, Canonical, REDHAT, Fedora etc. might wish to make mdadm part of their live images by default (and eventually strip it from the installed system if it's unnecessary).

[marahmarie]

So did ZDNet.

Would love to see definitive confirmation or denial, as such articles are not much more than speculation without it.

Re: Liar.

[marahmarie]

It'd be nice to have some clarity on that, as it is a salient point. The reporting on this has been nothing but murky garbage.

just imagine...

[(Anonymous)]

Imagine the HELL ON EARTH that will be if every fuck*ng company decides to do it's own "RAID Mode" controller. Why we have a standard like AHCI then?

The real problem here is that AHCI firmwares are crap, and RAID will not solve problems with overheating, neither make better power consumption counters. RAID is doing the right thing in this specific case, because a lot of companies create AHCI firmware with no optimizations at all, so forcing a "default sane" for power consumption makes the sensation that RAID mode is a better standard.

Until proven wrong, this is still a move to let Linux out of the market, and if Lenovo is not the one to blame, is the one guilty of colluding with Intel to delay Linux support on this equipment.

Re: Storm in a teacup

[(Anonymous)]

Sad that the Linux distribution installers are so behind in this regard.

Re: complete BS

[(Anonymous)]

Laptops don't have RAID.

They don't?

Mine do (Sony VPCZ1, 2 or 4 striped SSD's).

Re: RAID level?

[(Anonymous)]

Get the PCI identifier for the controller in RAID mode. Add to the AHCI driver. End of problem

It's that simple. It just needs people to spot these and contribute them to the kernel.

Stop getting hung up on 'RAID mode'

[(Anonymous)]

Stop getting hung up on the word 'RAID'. This has nothing to do with actual redundant arrays of inexpensive disks at all. The mode is called 'RAID mode' but it might as well be called 'make power management work better mode', because that's the actual reason why Lenovo wants the controller set to that mode: power management works better when the drive controller is set to that mode.

Re: Microsoft's Secure Boot requirements

[(Anonymous)]

It's part of Microsoft's certification requirements, *for x86 systems*. The requirements for ARM were the exact opposite (they say that the user must *not* be able to change the key), though since barely anyone's doing Windows-on-ARM any more that's becoming increasingly less relevant. The UEFI specification (where Secure Boot is actually defined) doesn't prescribe anything about how it should be set up out of the box in any particular firmware implementation (whether any keys should be pre-loaded, whose they should be if so, whether there should be an interface for changing them, etc.)

Re: complete BS

[(Anonymous)]

Read the comment (currently) two up from yours, by teaparty.net. Then you might understand.

Re: Storm in a teacup

[mjg59]

Such patches are unnecessary

Intel have provided support to mdadm, but that doesn't help if you're unable to drive the block device in the first place. There's nothing in the kernel that binds to the PCI device when in this mode.