Lenovo ThinkPad Z13 with the built-in Pluton security chip won’t boot Linux
As reported by Phoronix, Linux security expert Matthew Garrett found that it is impossible to boot the Linux operating system on the ThinkPad Z13. The ThinkPad Z13 is powered by an AMD Ryzen PRO 6860Z processor with the Pluton security chip built-in, it only trusts Microsoft’s keys and doesn’t trust any third-party UEFI keys used by various Linux distributions, which means no Linux OS can run.
He wrote on his blog, “This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won’t be able to boot from any third-party external peripherals that are plugged in via Thunderbolt. There’s no security benefit to this. If you want security here you’re paying attention to the values measured into the TPM, and thanks to Microsoft’s own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets. It’s trivial to detect this. Distrusting the 3rd party CA by default doesn’t improve security, it just makes it harder for users to boot alternative operating systems.”
The Pluton security chip came about as a result of new attacks that have emerged in recent years that indirectly compromise the Trusted Platform Module (TPM), which has long been the preferred method of protecting computers from potential threats. The TPM is used to store encryption keys for services like Bitlocker and Windows Hello, and the new method is to compromise the system by attacking the channel between the TPM and the CPU. The Pluton security chip will keep the system firmware updated. If a vulnerability is found in the system and a patch is pushed, the Pluton security chip will take care of it.
