Microsoft Pluton chip won't allow Linux boot
https://www.kitguru.net/components/c...nt-boot-linux/
https://allinfo.space/2022/07/09/mic...o-z13-and-z16/
AMD has been developing exclusive Ryzen chips for select PC OEMs, like Lenovo. These Ryzen Pro processors use Microsoft's Pluton security chip, although it seems that Pluton does limit OS compatibility, limiting these processors to the Windows OS.
Matthew Garret (via Phoronix), a Linux security specialist, wanted to analyse the implementation of the Microsoft Pluton on the Ryzen Pro 6860Z Zen3+ processor. Ultimately, this didn't go very well, as he couldn't get a Linux install to complete.
As it seems, the firmware doesn't trust any other bootloaders besides Microsoft's or any drivers using Microsoft 3rd Party UEFI CA key. In other words, trying to install any other OS that's not Windows won't work. Moreover, any third-party external peripherals that are plugged in via Thunderbolt shouldn't work.
According to Garrett, this decision doesn't offer any additional security, it just makes it harder for users to install any OS that's not Windows. Fortunately, you can disable the Pluton chip via UEFI, allowing you to install alternative operating systems.
KitGuru says: This implementation of Pluton makes it seem like some form of Windows DRM, rather than a security-enhancing chip.
Matthew Garret (via Phoronix), a Linux security specialist, wanted to analyse the implementation of the Microsoft Pluton on the Ryzen Pro 6860Z Zen3+ processor. Ultimately, this didn't go very well, as he couldn't get a Linux install to complete.
As it seems, the firmware doesn't trust any other bootloaders besides Microsoft's or any drivers using Microsoft 3rd Party UEFI CA key. In other words, trying to install any other OS that's not Windows won't work. Moreover, any third-party external peripherals that are plugged in via Thunderbolt shouldn't work.
According to Garrett, this decision doesn't offer any additional security, it just makes it harder for users to install any OS that's not Windows. Fortunately, you can disable the Pluton chip via UEFI, allowing you to install alternative operating systems.
KitGuru says: This implementation of Pluton makes it seem like some form of Windows DRM, rather than a security-enhancing chip.
Following his observations, Matthew Garrett aka “mjg59” complains that locking out free operating systems does not generate any security benefits.
This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt.
There's no security benefit to this. If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets.
It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems.
Matthew Garrett, Information Security Architect
This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt.
There's no security benefit to this. If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets.
It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems.
Matthew Garrett, Information Security Architect
Comment