Lenovo shipping new laptops that only boot Windows by default

Jul. 7th, 2022 11:41 pm
[personal profile] mjg59
I finally managed to get hold of a Thinkpad Z13 to examine a functional implementation of Microsoft's Pluton security co-processor. Trying to boot Linux from a USB stick failed out of the box for no obvious reason, but after further examination the cause became clear - the firmware defaults to not trusting bootloaders or drivers signed with the Microsoft 3rd Party UEFI CA key. This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt.

There's no security benefit to this. If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets. It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems.

Lenovo, this isn't OK. The entire architecture of UEFI secure boot is that it allows for security without compromising user choice of OS. Restricting boot to Windows by default provides no security benefit but makes it harder for people to run the OS they want to. Please fix it.
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2022-07-08 10:19 am (UTC)
From: (Anonymous)
Odd because Mark Pearson at Lenovo said that Linux is working on the Z series in this video https://youtu.be/3weDwYFAFco?t=968

Date: 2022-07-08 10:38 am (UTC)
From: [identity profile] kevinkofler.wordpress.com
I suppose it works if you disable Secure Boot. It might also let you manually import the required signing key pair's public key (the Microsoft third-party key, possibly also the Fedora one directly).

Date: 2022-07-08 02:07 pm (UTC)
From: (Anonymous)
It doesn't even require going that far. There is a firmware setting to enable the 3rd party key, and that lets secure boot work with the keys already imported.

Restricted Boot

Date: 2022-07-08 10:42 am (UTC)
From: [identity profile] kevinkofler.wordpress.com
This is exactly what we opponents of the so-called "Secure Boot" have been warning against all this time. Restricted Boot is by design not a security technology, it is a vendor lock-in technology (as also evidenced by the need to get your bootloader signed by Microsoft in the first place, and then they sign it with a different key from their own so that vendors can do exactly what Lenovo is now doing). Your (your and some other GNU/Linux developers') pro-"Secure Boot" attitude is what has lead to this.

Re: Restricted Boot

Date: 2022-07-08 10:49 am (UTC)
From: [personal profile] mjg59
Yeah the work we did definitely led to this and not us being in a situation 10 years ago where this was the situation with literally every new piece of hardware on the market

Re: Restricted Boot

Date: 2022-07-08 01:17 pm (UTC)
From: (Anonymous)
Sadly exactly what was expected. They use it to Lock-down general computing devices.
On the other hand I would turn off Secure Boot anyway because it causes more problems than it solves, which is followed by actually caring about security:

1.) Turn on hardware encryption for the drive
2.) Secure the UEFI with an password

Re: Restricted Boot

Date: 2022-07-08 04:14 pm (UTC)
From: (Anonymous)
It's not the technology. It's how you use it.

Re: Restricted Boot

Date: 2022-07-12 08:48 pm (UTC)
From: [identity profile] a81067fd-8ae5-444d-854f-51add11deb59 [openid.stackexchange.com]
It's not the technology. It's how you use it.

Yes, and this is being used as yet one more step to lock you out of YOUR OWN hardware. Just like more and more other companies out there (hello John Deere, etc).

Re: Restricted Boot

Date: 2022-08-27 04:06 pm (UTC)
From: (Anonymous)

I don't really see how this is a problem. If you're selling a system with a pre-installed windows and no other components that require the 3rd party CA, there is no reason for it to be trusted by default. Especially when that CA is used to sign pretty much everything and the kitchen sink, and there has been multiple instances in the past of software signed by it either having severe vulnerabilities or outright intentionally booting unsigned code.

If you want to boot something else than what the computer ships with, you can just add the CA in the uefi settings. You probably had to go there to change the boot order anyway, and they even put a magic switch so you don't have to download the CA file yourself. Or even better, put it in custom mode and load your own keys - why would you want to trust microsoft's and the manufacturer's keys if you're not running their code?

Restricted boot would be not allowing to change the keys, this is just tightening security on systems where it's possible.

Date: 2022-07-08 12:11 pm (UTC)
From: (Anonymous)
Lenovo claims Microsoft requires it: https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf

Date: 2022-07-08 04:16 pm (UTC)
From: (Anonymous)
Then I believe the Antitrust shall have a say.

Date: 2022-07-08 01:07 pm (UTC)
From: (Anonymous)
Simple EFI / BIOS encryption support for boot partition (fat32 / ext4 / luks) can solve all security problems. We need no CA signing.

Bad defaults, bad implementation or bad intention?

Date: 2022-07-08 02:45 pm (UTC)
From: (Anonymous)
Thanks for raising attention. This is terrible and Lenovo should change/ update their firmware.

Re: Bad defaults, bad implementation or bad intention?

Date: 2022-07-12 08:53 pm (UTC)
From: (Anonymous)
Thanks for raising attention. This is terrible and Lenovo should change/ update their firmware.

MSI are doing the same thing with their latest firmware updates. And there are people on their support site who aren't able to get into the BIOS/UEFI because their video cards won't support it.

(in)Secure Boot has always been a bad idea, as long as a single vendor with every reason to lock everyone else out is the sole gatekeeper. This should ONLY have been handled by an independent body, one that isn't beholden to any party with a personal interest in it. But too many people have been all too happy to just go along with having their rights trampled.

Secure Boot? Really?

Date: 2022-07-08 08:59 pm (UTC)
From: (Anonymous)
It was always a known fact that the Old Microsoft management wanted to lock down devices to run windows only (And probably Microsoft wants to protect their new Apps based on their "Modern" libraries, Xbox style) . Secure Boot never was about security (in the sense of "securing the user data") but more about licensing compliance and money. The owner of the keys is in the end the real owner of the machine (or at least, the one that can dictate what you can install or not on the machine).

Of course, any tool can be used for good or for evil, depending on who is using the tool, but seriously Mr. Garret: Did you really didn't see that coming?

Of course, the manufacturer is just doing what the owner of the software is asking for, so the manufacturer is not to blame. Even offers a way to bypass the lockdown, but is still something Joe User probably shouldn't care at all.

Security is always a complex issue, but giving the keys to Microsoft was the worst solution to it. But then again, it's not your machine anymore. Not in this age.

Two cents used.

Date: 2022-07-09 01:21 am (UTC)
From: (Anonymous)
What this really comes down to is whether to ship "SCPC ready" or ship already tuned for SCPC.

There are lots of happy mediums. Any company that cares about SCPC will have plenty of other tuning they do to their corporate image so they could easily use a WMI interface to turn off the 3rd party CA at that time.

Date: 2022-07-09 02:49 am (UTC)
From: [personal profile] mpearson
Hi Matthew,

Glad you got your hands on a Z13 - as a note, there are some FW fixes coming for fixing a few Linux issues (we haven't finished enablement quite on it yet - but almost there) but it's going to be a Linux certified and supported platform (and I'm personally really liking mine)

For the 3rd party cert - I didn't get a say in this, but the disabling of the 3rd party cert is part of the Microsoft Secured-Core PC certification. You can still enable the cert by going in the BIOS - there is an option to enable it there.

We should have it enabled for our Linux preloaded systems - but it isn't for the Windows preload. You have to toggle it if you want to boot Linux with secure boot enabled.

I don't think this is a Lenovo specific thing - maybe we're the first out with secured-core?
I'll flag your points to the team internally and see if I can get any feedback - when this initially came up my concern was if we'd still be able to boot Linux (and you can).

Mark

Date: 2022-07-09 05:57 am (UTC)
From: (Anonymous)
You should look at https://twitter.com/rickmartinez06/status/1545392103760560130

With the chinese you lose

Date: 2022-07-09 09:09 pm (UTC)
From: (Anonymous)
Well, typical of a chinese brand: Once they have your money, they're gone. I wouldn't expect anything to change here.

Re: With the chinese you lose

Date: 2022-07-11 07:49 pm (UTC)
From: (Anonymous)
Well, typical of a chinese brand: Once they have your money, they're gone. I wouldn't expect anything to change here.

Has nothing to do with the nationality of the brand. This has been bog-standard on multiple business laptops for several years now, Secure Boot is on by default. It takes nothing to disable it --I did exactly that to back up my new ThinkPad's original configuration when I got it a week ago before I reloaded it. The second you disable Secure Boot, you boot from any USB key and any OS you want just fine.

This is a feature for corporate laptops, something Dell Latitudes and Precision Mobile Workstations routinely have factory-enabled as well. There's no conspiracy, and your comment above is racist to say the least.

My thoughts

Date: 2022-07-11 12:47 pm (UTC)
From: (Anonymous)
Because stuff signed by a chain leading up to the third party UEFI cert actually gets revoked, there's probably more vulnerable unrevoked Windows bootloaders around than non-Windows at that point. On the non-Windows side I know of 2 (3 if you count seperate versions with different signatures/hashes), both with crypto fails (I thought MS was supposed to audit this kind of thing before signing), on the Windows side there's ~9.5 years of vulnerable bootloaders now just based on patched bugs and lack of dbx update. Of course, interesting non-Windows bootloaders are harder to find, would be nice if certificate transparency was used here.

dbx was always a terrible plan (probably intended for malware/etc that somehow got signed, and legitimate binaries with exploitable bugs weren't considered). Mostly thanks to this, secured core PCs are a joke.

...although I will concede that secured core PCs did one good thing, namely enforcing actual security standards for UEFI firmware.

Date: 2023-04-16 11:54 pm (UTC)
From: (Anonymous)
Could you just import another key that signed your Linux OS to use Secure boot? Also how is secure boot really secure?

P.S. - Asking for a friend ;)
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.

Page Summary

Expand Cut Tags

No cut tags