Earlier this week Linux security researcher Matthew Garrett shared that Lenovo’s newer AMD Rembrandt laptops with Microsoft’s Pluton security co-processor would not boot Linux by default. The issue stems from the third-party UEFI certificate not being enabled by default and it turns out is something Microsoft is seemingly now enforcing. Fortunately, I had a Lenovo ThinkPad X13 Gen3 with Ryzen 7 PRO 6850U on the way and so was now able to test this experience under Linux.
Matthew Garrett has been well known for his Linux Secure Boot work and other security research. He was quick to criticize Lenovo for not shipping their new laptops with the 3rd party UEFI CA enabled by default and “there’s no security benefit to this.” Lenovo meanwhile posted a notice confirming the change and seemingly shifting it off to Microsoft’s blame, “Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default. This means that for any of these Lenovo platforms shipped with Windows pre-installed an extra step is needed to allow Linux to boot with secure boot enabled.“
For “secure-cored” PCs this is presumably with Pluton. I’ve had the Intel Core i7 1280P in a new laptop and other 2022 model laptops that haven’t had this change in place while running Windows 11. However, I haven’t yet seen Microsoft’s exact verbage around this mandate.
Fortunately, thanks to a very good 4th of July deal, I had a Lenovo ThinkPad X13 on the way for delivering Linux testing of the AMD Ryzen 6000 series “Rembrandt” support and performance that was waiting for delivery when this news came out earlier in the week. While Rembrandt has been around since earlier this year, due to the lack of major laptop vendor interest in Linux (at least as it concerns product reviews and media coverage) and no cooperation from AMD for Linux laptop testing, I haven’t been able to test AMD Rembrandt under Linux until purchasing a laptop myself to deliver Linux compatibility information / review and benchmarks.
The Lenovo ThinkPad X13 Gen3 (21CM0001US) is equipped with a Ryzen 7 PRO 6850U SoC with RDNA2 Radeon RX 680M graphics, 16GB of LPDDR5-6400 memory, 512GB NVMe SSD, 1920 x 1200 13.3-inch display, and Qualcomm NFA725A WiFi. I’ll have Linux benchmarks on this Lenovo laptop soon on Phoronix and many more details about AMD Rembrandt under Linux with the support requirements and performance across many benchmarks. The 21CM0001US launched in June and retails for $1770~1800 USD or more, but back during the 4th of July sale was just $1182 making it quite compelling for the price and good enough bargain I could afford it for delivering some interesting Linux tests.
Indeed when it came to trying to boot an Ubuntu 22.04 LTS live image on the ThinkPad X13 Gen3, it failed. From the boot menu selection screen selecting the USB drive with the official Ubuntu 22.04 LTS, it failed and simply returned to the boot menu screen without any messages. This is a bad user experience and doesn’t inform the user about the 3rd party certificate being disabled or any other messaging around the problem – it just fails.
But fortunately from the Lenovo BIOS the 3rd party UEFI CA can be easily enabled. Simply hit enter at boot to interrupt the boot process, hit F1 to enter the BIOS, and from the security page is a “Allow Microsoft 3rd Party UEFI CA”. Or there is also the ability to disable UEFI Secure Boot in its entirety.
This is the part that wasn’t made clear in Garrett’s blog post — the 3rd party certificate can be easily enabled. But I do agree with his assessment that it’s a stupid mandate to now have to disable this certificate by default and doesn’t seem to be based on firm security reasons. Particularly around the lack of messaging over this change in default behavior it leads to a poor user experience and customers may just assume Linux is having technical troubles in booting on new laptops or other troubles.
Once enabling the third party certificate, the Ubuntu 22.04 LTS image booted up fine on the ThinkPad X13 Gen3 laptop. With the third party certificate enabled, the Microsoft Windows installation still booted up fine as well.
On Ubuntu 22.04 LTS with its stock Linux 5.15 kernel and other default components, the AMD Rembrandt laptop was working fine as far as standard functionality is concerned — stay tuned for my Linux review and many performance benchmarks. But long story short from the Ubuntu 22.04 desktop, the WiFi was working out-of-the-box, the RDNA2 graphics were supported fine on the stock kernel and Mesa, etc.
It’s unfortunate that Microsoft is apparently mandating the third-party UEFI CA be disabled by default, based on the AMD and Lenovo comments. But at least in the case of current Lenovo ThinkPads, the certificate can be easily enabled and still there is the ability to disable UEFI SecureBoot outright. It will be more of an issue if any of the other laptop vendors forego having these options readily accessible to end-users or outright don’t load the third party certificate onto devices. It’s also poor user experience right now that when trying to boot a Linux distribution on a new device that it silently fails without any explanation or indication of the Secure Boot certificate status. It would be a nice compromise if Lenovo (and other OEMs) at least showed the Secure Boot status and the state of the certificates from the UEFI boot menu, which at least would provide immediate insight for technical users why their Linux install media may be silently failing to boot.
If you enjoyed this article consider joining Phoronix Premium to view this site ad-free, multi-page articles on a single page, and other benefits. PayPal tips are also graciously accepted. Thanks for your support.