News Lenovo's New Ryzen Laptops Default to Windows-Only Boot

[Admin]

A new issue has been identified that prevents non-Windows operating systems from loading onto new Ryzen 6000 Lenovo laptops.

Lenovo's New Ryzen Laptops Default to Windows-Only Boot : Read more

 

[hotaru251]

wait wasnt lenovo also the brand that had the default popup efefctively make your cpu lock itself to that 1 machine?

At this point I wouldnt risk one of their devices for shady tactics.

 

[rluker5]

Yes, but just AMD cpus as they are the only ones with the fuses to be blown to do that.
But then again I haven't heard of anybody but Lenovo doing either of these so maybe it will stay isolated to them. And xbox.

But chips with Pluton are new so more snooping, limitations and vulnerabilities might come out. But haven't yet, to be fair.

 

[edzieba]

Since part of the Windows Platform Requirements is the implementation of a default "Standard" Secure Boot mode and a user-selectable "Custom" Secure Boot mode (where other kays can be added), with those lines in the standards doc prefixed with an allcaps MUST, this seems like a Lenovo screwup rather than something required by Microsoft (as it goes directly against the requirements from Microsoft).

But then again I haven't heard of anybody but Lenovo doing either of these so maybe it will stay isolated to them. And xbox.

Dell have also been doing it with EPYC servers.

 

[ed-pgt]

We just recieved a few of these at work. I can confirm you can disable the chip in the bios. I'm currently dual booting windows and xubuntu.

 

[Alvar "Miles" Udell]

If it can be disabled in BIOS, and that option disabled and protected by, say, IT admin, then this appears to be another layer of security to prevent someone from obtaining the laptop and booting to Linux via USB to circumvent security and, say, quickly mirror the drive before the owner notices. Wouldn't prevent against stronger attacks, but could help cut down on more quick, clandestine attacks.

 

[edzieba]

If it can be disabled in BIOS, and that option disabled and protected by, say, IT admin, then this appears to be another layer of security to prevent someone from obtaining the laptop and booting to Linux via USB to circumvent security and, say, quickly mirror the drive before the owner notices. Wouldn't prevent against stronger attacks, but could help cut down on more quick, clandestine attacks.

If the drive is encrypted, booting to another OS would not allow reading it. If its unencrypted, you can pop the drive and read it in another chassis.

 

[Alvar "Miles" Udell]

If the drive is encrypted, booting to another OS would not allow reading it. If its unencrypted, you can pop the drive and read it in another chassis.

Which is why I said "Wouldn't prevent against stronger attacks, but could help cut down on more quick, clandestine attacks."

 

[edzieba]

Which is why I said "Wouldn't prevent against stronger attacks, but could help cut down on more quick, clandestine attacks."

It's more like worrying about whether your window is armoured enough when your front door is left open and unlocked. If your drive is unencrypted, then Secure Boot is clearly WAY down the priority list. Unencrypted laptop drives are "everyone's password is set to 'password" levels of basic security fail.

As for quick attacks: I'm pretty confident that with the frankly awful UEFI interfaces most OEMs use (Dell being particularly egregious in breaking keyboard navigation in the most recent version), I could remove the drive from the chassis with an unpowered screwdriver faster than I could disable Secure Boot and boot an alternate OS. And as for 'clandestine': popping a drive into a write-blocker and imaging it (with a shim used to defeat the chassis intrusion switch) is far less noticeable than changing BIOS settings - and thus clearing the keystore - and fiddling with UEFI settings.