Lenovo presented laptops half a year ago, at CES 2022 ThinkPad Z13 and ThinkPad Z16, which includes AMD Ryzen PRO 6000 as processor technology along with dedicated Radeon graphics. Nothing untoward yet, but it was recently discovered cannot run Linuxand not even through a live session.

The discovery that the ThinkPad Z13 and Z16 laptops are unable to boot Linux has the signature of Matthew Garrett, a prominent developer and one of the biggest proponents of Secure Boot in Linux. The reason such computers are unable to run Linux is the presence of Microsoft’s own co-processor, Pluto, which only trusts the Redmond giant’s own UEFI key for Windows 11 and not a third-party Linux-based key. Own company for alternative operation systems (Microsoft 3rd Party UEFI CA key).

In other words, the Microsoft Pluton coprocessor has a configuration or requirement to only use the Windows 11 UEFI Secure Boot key. This means that laptops only work with default firmware settings and prevent other systems from booting due to marking third-party key-signed bootloaders and drivers as untrusted. Even distributions with “good” Secure Boot support such as Ubuntu and Fedora will not pass through the filter, and in this case booting from any third-party peripheral connected via Thunderbolt is also prevented.

If one digs through the official list of laptops on the ThinkPad website, one can find the following statement: “The Z13 and Z16 notebooks are the first in the industry to implement a security processor built into the CPU, which helps eliminate exposure to threats and prevent physical attacks. This new chip-to-cloud security technology is the result of a partnership between Microsoft and AMD that works with data encryption and biometric protection as unique as your personal DNA.”

In addition to issues related to biometric authentication, Matthew Garrett openly states that preventing the loading of third-party keys provides no security benefit and only serves to create barriers when starting alternative operating systems. The developer reminds that “the complete UEFI Secure Boot architecture is what enables security without compromising the user’s choice of operating system.”

Secure Boot is a feature that has always caused controversy outside of Windows. Some see it as a vendor lock rather than a true security feature, a view that has been reinforced, at least in some cases, by the discovery that Ubuntu supports it outside of the spec itself.

Another episode is the Lockdown security module, which was finally incorporated into Linux after seven years of discussions between Matthew Garrett and Linus Torvalds, the creator of the Linux kernel. The reason for this long-running discussion, which was also very angry at times, was largely because Garrett insisted on linking Lockdown to Secure Boot, while Torvalds was against it because of the possible unforeseen consequences it could have. In the end, the Linux creators got their way and Lockdown’s connection to Secure Boot was left as an optional feature.

Aside from the controversy surrounding Linux running on the ThinkPad Z13 and ThinkPad Z16 laptops, the tab left is to “take the axe” and disable root Secure Boot. This should remove the barrier that prevents alternative operating systems from booting, but who knows what the consequences are for those computers with the Microsoft Pluto coprocessor in the middle, as the signature verification process should no longer be present, but it’s possible that Linux still won’t boot due to hardware incompatibility.