[sf-lug] MS puts new restrictions on hardware...

Tue Jul 12 14:46:04 PDT 2022

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

>  This is a warning about MS demanding Secure Core measures
>  implemented on new hardware from its selected brands.

Microsoft's actual marketing name is "Windows secured-core PCs"
("secured" with a "d").  Lenovo's actual firmware subassembly is called
"ThinkShield, a customizable security platform by Lenovo".

I had a difficult time, at first, finding anything other than your
link to TheReg, which of course is notorious for making money from
misrepresentations and exaggerated bushwah.  

(Contrary to TheReg's ignorant assertion, this has nothing to do with
Microsoft's Pluton TPM chip design.)

So, basically the vendor (Lenovo) has disabled, in some models in the
ThinkPad Z-series (at minimum the Z13), handling of the third-party UEFI
CA used to sign non-Windows UEFI binaries, and _claims_ (dubiously, with
no evidence so far) that Microsoft Corporation requires the latter
from all OEMs starting this year, as per a seen-by-nobody revision of
the Windows secured-core PC certification specification, or something
like that.

> So the secured core means that these machines will run only Windows.
> So far no way around this has been found.

Whether Microsoft Corp. made such a demand or not, the situation with
these Lenovo laptop boxen is annoying and possibly the basis for a nice
antitrust action coming to court in about five years, but it is _not_
making the machines "run only Windows", because you can just disable
Secure Boot.

Oh, you didn't realise that, did you?

Moreover, a Lenovo engineer named Mark Pearson wrote on Matt Garrett's blog:

  Glad you got your hands on a Z13 - as a note, there are some FW [RM:
  firmware] fixes coming for fixing a few Linux issues (we haven't 
  finished enablement quite on it yet - but almost there) but it's 
  going to be a Linux certified and supported platform (and I'm 
  personally really liking mine).

  For the 3rd party cert - I didn't get a say in this, but the disabling
  of the 3rd party cert is part of the Microsoft Secured-Core PC
  certification.  You can still enable the cert by going in the BIOS -
  there is an option to enable it there.

  We should have it enabled for our Linux preloaded systems - but it isn't
  for the Windows preload.  You have to toggle it, if you want to boot Linux
  with secure boot enabled.

  I don't think this is a Lenovo-specific thing - maybe we're the first
  out with secured-core?

  I'll flag your points to the team internally and see if I can get any
  feedback - when this initially came up my concern was if we'd still be
  able to boot Linux (and you can).

Clue:  Smart people don't get their technology news from TheReg.
They wait until LWN.net gets around to talking about it, which would
eventually happen if the news is significant.  I note that LWN.net has
said nothing about this, to date - and the story's now about a week old.

So, basically I'll take this seriously when LWN.net sets the story
straight -- if there's a story.  Meanwhile, it would be nice if people
would not drop critical details even from Matthew Garrett's _blog_,
i.e., that disabling Secure Boot averts the problem.

Sheesh, Bobbie, will you _stop and think_ before posting such things?
Because what you posted was, y'know, _wrong_.