1. 68
  1. 21

    Even worse, Lenovo is claiming, rightly or wrongly, that this is a contractual obligation by MS. https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf

    1. 24

      Got to give Lenovo some credit for how they complied, though. They could have made it so you would have to go through a complicated process of adding the keys you need to boot anything other than Windows. But they put a simple toggle switch to enable the most common case (you are booting a Linux distribution that uses the Microsoft 3rd party shim for secure boot).

      1. 14

        Why are you disrupting the daily “Five minutes of hate for corporate America?”

        1. 14

          To be fair, that’d be corporate China you’d be hating on.

          1. 1

            Is M$ a Chinese company now?

            1. 17

              Microsoft isn’t, but Lenovo is.

              1. 1

                And the complaint is about M$ forcing their crap onto a HW vendor. I cannot imagine Lenovo doing this on their own. There is no money in that.

                1. 7

                  I mean, for all we know, Lenovo might be getting a good deal out of this as well – sure, there may be no money to be taken straight from customers for it, but that’s not the only source of money nor the only metric for a good deal. Just because it was a contractual obligation (if it was) doesn’t mean it was a bad deal or that Lenovo were forced to make it.

                  Not sayin’ you’re not right to suspect Microsoft being nasty here, just that I’ve found it best to distribute suspicion evenly (and in very generous amounts :-D) among corporate actors.

          2. 9

            Well, I will say that assuming this was actually a contractual obligation, the culpability is on Microsoft, and Lenovo did the best they could. I’m not letting Microsoft off the hook at all here.

            1. 0

              Because some tech people still work at M$ for some reason. It’s mind boggling how legions of people who dedicate their life to understanding technology end up creating walled gardens.

              1. 11

                I don’t think it’s that mind boggling. Creating walled gardens is lucrative and M$ pays pretty okay.

                1. 2

                  Ok. One shouldn’t be surprised by people being willing to do questionable things for money. But this is literally working on something that they are probably going to be working around one or two employers later.

                  Or is it different in the US? Is it like really simple to just call one of your friends at M$ and get them cooperating, unlike from EU?

                  1. 4

                    The overwhelming majority of developers in the world will not be effected by this. It’s not like a .NET developer is going to go out of their way to replace the OS on their work laptop.

                    1. 2

                      I have done exactly that and it’s great for me, and actually great for my company, to have at least one person who knows their way around a linux machine (my system dependencies better match cloud dependencies and build chains, if nothing else). And dotnet works really well natively on linux now.

                      I would hope that developers as a group are curious enough that this is pretty common. Realistically I’m sure that the “majority” will only ever use Windows but I like to think and hope it’s not the “overwhelming majority”.

                    2. 3

                      But this is literally working on something that they are probably going to be working around one or two employers later.

                      I think you’re wildly overestimating how many developers will ever voluntarily try to run linux on a laptop (as opposed to a server).

                      1. 5

                        While not fully representative, almost every year the Stack Overflow survey has Linux on personal machines around the 30% ballpark.

                  2. 3

                    It’s not like M$ is somehow worse than all the other big tech companies. I’m sure one could quibble over details, but at a high-level, I’d argue they are all basically the same in terms of walled-garden love.

                    1. 4

                      Sure, but M$ walling off the general purpose computer segment would affect me way more than Google with Apple claiming the phone segment. I make a living off Linux on my (and some of my clients’) productive general purpose computers after all.

                      And I am surprised that other devs don’t mind. I though the idea was that we are the ones who could always walk away and disrupt as much as we’d like.

                      If this continues, we won’t be able to install Linux and Kodi on a NUC to provide 4k video for the occasional movie screening in our favorite coffee. It would have to be Windows. Meaning, among other things, no SSH remote administration, license fees, reboots in the middle of the movie and so on.

                      We’d have to buy either underpowered RPis or some unlocked industrial devices at much higher price point.

                      Or my aunt’s laptop. She can’t afford a new one, so she has an old Lenovo with Linux. Making the device useful for couple more years. Do we just throw them away once the Windows support ends? Or do we run insecure and/or slow devices?

                      I kinda like how things are now. The freedom of compatible hardware and software without artificial barriers is just more productive.

                      1. 4

                        I generally agree with you, I think it’s a bad precedent and I don’t like where it’s going either.

                        Security being used to enforce stupid things is bad for everyone, not just us that want to run non-Windows.

                        The part I don’t really agree with is that Google or Apple’s or …’s influence is somehow not as bad, they are, just in different ways.

                        1. 1

                          I think that in the past couple of years the general awareness of embedded computing skyrocketed. Thanks to Arduino, RPi and many others.

                          I believe that I will get my Linux phone eventually. Who knows what happens from there?

                          PC lockdown is a trend in the other direction.

                    2. 1

                      For the record, I agree with the “unkind” assessment of my comment, but I was definitely not trolling.

                      I truly believe that people who help build these walled gardens should think about harm they are doing instead of just throwing arms up in the air “it’s just a job”.

                2. 14

                  IMO this requirement is entirely reasonable. I think it’s more important for a company to provide strong defaults for the majority of its customers than to make things easy for competitors, and that shouldn’t change just because a company is the dominant player. Notice I said defaults, not forced restrictions. Booting an alternative OS is an esoteric task that only a tiny percentage of PC customers will ever do, and I think it’s fine to require such customers to tweak a security setting in their firmware, particularly since they don’t have to disable Secure Boot altogether. Defaults can never be perfect for everyone, but I think that having the strongest security by default for the majority of users is the right call here.

                  1. 10

                    I doubt that it would be legal in Norway: Lock-in mechanisms (innelåsende mekanismer), hereunder missing compatibility, is unfair according to Forbrukertilsynet.

                    If you don’t know Forbrukertilsynet, they were the first to forbid DRM on music, for similar reasons.

                    1. 4

                      Do they forbid DRM on video?

                      Regarding this article, I don’t think that this is a real lock-in mechanism. It is a simple toggle to enable the shim and also another toggle that can disable secure boot altogether. I don’t think it is a lock-in to require a few keypresses to change some settings when the default is argubly more secure.

                      1. 1

                        Yes, video shouldn’t be any different. Famously, as DVD-Jon found out, it’s not illegal to break DRM. Note that this is specifically about bought music and bought video.

                        I don’t think it is a lock-in to require a few keypresses to change some settings when the default is argubly more secure.

                        That sounds like a key point. But it also depends on their informational obligations: How many expectations are broken, and do you need to be Matthew Garrett to debug it? I don’t think I could have guessed “the 3rd party key” if I hadn’t read the news today. If you can’t do it with the knowledge that can be expected of a customer, well, that’s a dark pattern, which is also forbidden.

                        1. 4

                          I should add what I feel the law should be similar to the concept where they are required to allow it to be easily turned off so the user can actually own the machine, while at the same time be required to fix any issues that come up for that device during the lifetime + some extra duration of it (so no disabling of the functionality ten years later).

                          So installing your own operating system doesn’t violate the warranty, and the warranty of a fitness for purpose includes fixing any issues booting up the device using third party software - so if you have a disk with debian on it that boots on a few other contemporary machines but doesn’t on this particular laptop - or even better multiple separate machines all being this laptop - then they are required to fix it.

                          1. 4

                            I think EU might be slowly getting there with the sideloading mandate. I don’t think they will explicitly cover different OSes, but the wording might be loose enough for courts to pry it wide open. Also, FSFE is probably lobbying as much as possible to include the OSes explicitly.

                            1. 2

                              I’m convinced they’re in as well, I’m not very hopeful. It’s going to include too many holes. If you think FSFE is lobbying, what do you think MS is doing? They’ve been proven that they abuse their monopoly and that they don’t stop on “lobbying” and go straight for bribe and corruption.

                              EU might get the doors cracked a little. But wide open? I’m not hopeful.

                    2. 3

                      As the article states though, turning the 3rd-party signing key toggle on by default would not weaken the security model.

                      1. 3

                        I think requiring users to install their own security keys in order to install Linux would be unreasonable. But IMO, having to change one toggle switch in the BIOS is fine.

                        1. 3

                          Yeah, I mean, slippery slope and all, but the first time I installed Linux on my computer like 20 years ago I had to fiddle with way more BIOS settings than a toggle switch. As long as I don’t have to recite incantations at the EFI shell, this just falls under the old “tinker with your machine until you get to the login prompt” dance that I do about twice during a laptop’s useful life.

                    3. 17

                      Add that on top of many Thinkpad being bricked when a user installs their own secureboot key, and some reports of having their warranty denied because this was “user-induced”.

                      1. 3

                        Oof. That’s bad. I actually preordered a Lenovo device recently (due to it being the only device with the specs I needed). I’ve never bothered with my own keys–and definitely won’t after reading this.

                        1. 2

                          This isn’t actually the same kind of issue though. The issue is that there is some OpROM from some PCI device on most modern Thinkpads which is signed by Microsoft. As these OpROM are loaded and validated as part of the UEFI boot chain, failing to verify that file would resolve in that piece of hardware failing to load.

                          In most cases this would apply to external GPUs, NVMes and stuff. I’m not sure what piece of hardware is the issue in the X13 and T14 case though.

                          The solution to this issue is to enroll the appropriate hash from the TPM eventlog into the db, or keep the Microsoft 3rd party UEFI CA along with you self-signed keys.

                        2. 11

                          In all digital matters, we are heading straight for turnkey totalitarianism, if we aren’t already there. For those who don’t know what that means: Yes, your liberties aren’t yet removed, but all it takes to remove them is one little change, for example the removal of an option in a menu. Windows 11 requiring a TPM (essentially for no reason other than security theater) is another step in that direction. The end-game is obvious: The vast majority of people can only execute software that is approved by some authority. The computer, the most empowering tool in human history, is well on its way to become the most disempowering tool to ever exist.

                          1. 8

                            This sort of hot take is basically never useful, because it doesn’t hold together unless you assume literal cartoon-villain-level motivations and behavior on the part of all software and hardware vendors, and assume that they are all working together explicitly and in perfect unison toward the same cartoon-villain goal (“At last! Our long campaign to destroy freedom and happiness is coming to fruition!”).

                            If you insist on framing it in “freedom” terms, though, I’ll fire back with a way of putting it that I’ve used a few times, namely that what this is really about is a “freedom” that somehow got left out of the manifestos. Since Stallman went all the way down to Zero, we’ll call this one Freedom Negative One, and it is phrased as:

                            The freedom of anyone, anywhere, to run any software, for any purpose, at any time, on your hardware.

                            Now, Stallman himself has occasionally leaned toward perhaps wanting to grant this one — he certainly has a history stretching back to being against even differently-privileged accounts on multi-user systems — but most of the world is not interested in or willing to grant Freedom Negative One, and computer security is entirely about how to avoid granting it, and the tradeoffs that come as a result.

                            In other words: many people openly want to have a computer that runs only the things they themselves wanted to have running. Any method of achieving this, from TPMs to signed packages to even fundamental things like memory segmentation, involves some compromises in terms of making it more difficult for a program to do whatever the programmer wanted, and in some cases even what the user might have wanted, in order to prevent programs from doing things the user did not want. So blanket painting of this as a cartoon-villain plan to destroy freedom is fundamentally unhelpful and ignores the fact that compromises already have been and will continue to be made, long before TPMs existed. Unless you’re wiling to roll it all back, you do not get to have an absolutist moralistic position.

                            So please reframe your arguments accordingly.

                            1. 13

                              This sort of hot take is basically never useful, because it doesn’t hold together unless you assume literal cartoon-villain-level motivations and behavior on the part of all software and hardware vendors

                              That is simply untrue. The loss of freedom is in general not caused by conspiracy but by a lack of care by those who enjoyed it. The vendors make huge profits off closed ecosystems, it’s in their best interest to conjure up all kinds of arguments to lock platforms down, like security, a common design language, vetted applications, etc. We undeniably move more and more into the direction of locked down platforms, not due to a conspiracy but due to convergence of both economic and governmental interests.

                              and computer security is entirely about how to avoid granting it, and the tradeoffs that come as a result.

                              Again, not true at all. The freedom to run any software and security are orthogonal. That’s what containers and virtualization are for.

                              many people openly want to have a computer that runs only the things they themselves wanted to have running

                              Yes, but what they will get is a machine that runs only the things that someone in Redmond or Cupertino - or Washington for that matter - wants to have running. Which is something entirely different.

                              Any method of achieving this, from TPMs to signed packages to even fundamental things like memory segmentation, involves some compromises in terms of making it more difficult for a program to do whatever the programmer wanted

                              The end result is inevitable and we already saw it happening on the iPhone: The manufacturer has complete control over the ecosystem and can control what content apps allow. Apps that allow people to publish content that is not liked by the owners of the ecosystem are forced into censorship. This is not a conspiracy, this has been happening for years.

                              So please reframe your arguments accordingly.

                              It is you who has to catch up with the current millenium.

                              1. 4

                                The freedom to run any software and security are orthogonal. That’s what containers and virtualization are for.

                                In the interest of civility, I will only say that this statement betrays an enormous amount of naiveté.

                                1. 8

                                  I am actually well-versed in security topics. The vast majority of modern hacks and exploits are done through methods like phishing, social engineering, leaked credentials and authentication tokens, databases and files that are public by accident, etc. Things like breaking out of the hypervisor, breaking the virtual machine, exploiting the runtime etc. are exceedingly rare. It is the human wetware that is exploited, not the copper & silicon.

                              2. 4

                                No, I assume “stay in business” motivations on the part of most software and hardware vendors.

                                I assume a combination of cartoonish evil and cartoonish short-sightedness out of all lawmakers (and for that matter nearly all the voters who elect them), only because events have never yet proven me wrong. Give them a capability like this, tell them that all they have to do is push a button to stop all computer crime, all identity theft, all child porn forever, and all it will hurt is criminals and a few neckbeard weirdos, and not only will they jump at the opportunity to walled-garden every device with more computing power than an abacus (to the benefit of a few companies who are first in line), they will actively destroy the lives of anyone who opposes it. It doesn’t matter that the promise is a lie. It only matters what you promise.

                            2. 2

                              The last respectable Lenovo laptops were ThinkPad *20 series from 2011 (W520/T420/T420s/X220).

                              After introduction of ‘island’ type keyboard in *30 models it was not different from Acer or Asus offerings …

                              1. 3

                                It’s relatively easy to mod an X230 to use the X220 keyboard, then you get the best of both worlds (well, as good as ivy bridge is over sandy bridge)

                                1. 2

                                  Yes. Similar to T430/W530/T530 modding and fitting T420/W520/T520 7-row keyboard … but as you know that was not my point of my comment :)

                                  Lenovo decided they want to abandon that great 7-row keyboard (and sturdy modular ThinkPad design) in favor of island bullshit keyboard along with what was ‘popular’ and ‘fashion’ at the time … the worst thing that could happen to IBM ThinkPads were the transaction to sold them to Lenovo.

                                  Kinda similar for Sun Solaris system being taken over by Oracle …

                                  Both tragic stories.

                                  1. 1

                                    I have a couple of X230s, and like them a lot. The keyboard is not as good as the X220, but they’re just as modular and repairable, and have some notable advantages over the X220 (USB 3, for example). Now, I’ve got an X240, and it’s absolute crap…

                                    1. 1

                                      You can get X220 with one (left) USB 3.0 port but you have to get it with i7 CPU.

                                      From what I remember the *40 series (and X240) were the first ones where there were no physical touchpad buttons - which sucked a lot.

                                      They bring them back in *50 series :)

                              2. 1

                                Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default. This means that for any of these Lenovo platforms shipped with Windows preinstalled an extra step is needed to allow Linux to boot with secure boot enabled.

                                This is actually wrong. I’m installing Arch on a new Thinkpad T14 Gen 3 with no WIndows preinstalled. The option to enabled the 3rd party UEFI certificate is there, but it’s disabled by default. However Secure Boot is also disabled.

                                1. 2

                                  Which part exactly are you claiming is wrong?

                                  1. 1

                                    They claim it’s only done for machines with WIndows pre-installed. This is not the case.

                                    1. 2

                                      That’s not really what the text is saying though, but I agree that it’s a bit uncarefully worded. It’s just mentioning an extra step for the specific case of Windows being preinstalled, it’s not actually saying anything about the non-preinstalled case.

                                      1. 1

                                        It’s fair to read the text as inclusive. If this was the default for every laptop there would be no need to specify “with Windows preinstalled” in the text.

                                        1. 1

                                          I disagree, the first sentence says that it applies to all “Secured-core PCs”. The second sentence gives additional information of the specific sub-case of computers with Windows preinstalled where you need to perform an extra strep to boot into Linux while leaving secure boot enabled.

                                          So again, while I think it could have been worded more carefully, it’s entirely self-consistent.