Announcement

Collapse
No announcement yet.

Microsoft Pluton chip won't allow Linux boot

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Microsoft Pluton chip won't allow Linux boot

    https://www.kitguru.net/components/c...nt-boot-linux/

    AMD has been developing exclusive Ryzen chips for select PC OEMs, like Lenovo. These Ryzen Pro processors use Microsoft's Pluton security chip, although it seems that Pluton does limit OS compatibility, limiting these processors to the Windows OS.

    Matthew Garret (via Phoronix), a Linux security specialist, wanted to analyse the implementation of the Microsoft Pluton on the Ryzen Pro 6860Z Zen3+ processor. Ultimately, this didn't go very well, as he couldn't get a Linux install to complete.

    As it seems, the firmware doesn't trust any other bootloaders besides Microsoft's or any drivers using Microsoft 3rd Party UEFI CA key. In other words, trying to install any other OS that's not Windows won't work. Moreover, any third-party external peripherals that are plugged in via Thunderbolt shouldn't work.

    According to Garrett, this decision doesn't offer any additional security, it just makes it harder for users to install any OS that's not Windows. Fortunately, you can disable the Pluton chip via UEFI, allowing you to install alternative operating systems.

    KitGuru says: This implementation of Pluton makes it seem like some form of Windows DRM, rather than a security-enhancing chip.
    https://allinfo.space/2022/07/09/mic...o-z13-and-z16/

    Following his observations, Matthew Garrett aka “mjg59” complains that locking out free operating systems does not generate any security benefits.

    This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt.

    There's no security benefit to this. If you want security here you're paying attention to the values ​​measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets.

    It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems.

    Matthew Garrett, Information Security Architect

    Last edited by GreyGeek; Aug 27, 2022, 04:37 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Microsoft Pluton chip won't allow Linux boot
    .......using default bios settings. <sigh> just some minor-ish clickbait

    https://www.phoronix.com/news/Lenovo...indows-Default
    https://www.phoronix.com/review/rembrandt-linux-boot

    Comment


      #3
      Originally posted by claydoh View Post
      .......using default bios settings. <sigh> just some minor-ish clickbait

      https://www.phoronix.com/news/Lenovo...indows-Default
      https://www.phoronix.com/review/rembrandt-linux-boot
      Clickbait from your POV, with your experience and skill- set. But for Joe and Sally Sixpack it is a show stopper.
      This is the part that wasn't made clear in Garrett's blog post -- the 3rd party certificate can be easily enabled. But I do agree with his assessment that it's a stupid mandate to now have to disable this certificate by default and doesn't seem to be based on firm security reasons. Particularly around the lack of messaging over this change in default behavior it leads to a poor user experience and customers may just assume Linux is having technical troubles in booting on new laptops or other troubles.
      and...
      It's unfortunate that Microsoft is apparently mandating the third-party UEFI CA be disabled by default, based on the AMD and Lenovo comments. But at least in the case of current Lenovo ThinkPads, the certificate can be easily enabled and still there is the ability to disable UEFI SecureBoot outright. It will be more of an issue if any of the other laptop vendors forego having these options readily accessible to end-users or outright don't load the third party certificate onto devices. It's also poor user experience right now that when trying to boot a Linux distribution on a new device that it silently fails without any explanation or indication of the Secure Boot certificate status.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        It is still a clickbait headline

        compared to others on the same topic, this is a misleading headline though many/most of the other headlines were also poor - making it seem like it is impossible to boot Linux on these machines.

        Notice the Phoronix headline is a much more accurate headline, as is mjg's post tile.



        Clickbait.

        Comment


          #5
          Originally posted by claydoh View Post
          It is still a clickbait headline

          compared to others on the same topic, this is a misleading headline though many/most of the other headlines were also poor - making it seem like it is impossible to boot Linux on these machines.

          Notice the Phoronix headline is a much more accurate headline, as is mjg's post tile.



          Clickbait.
          By saying that the article is "clickbait" are you implying that noobs not being able to boot an install LiveUSB isn't an issue of concern?

          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment


            #6
            Both things can be true at the same time.

            But why does this particular piece misleadingly leave out very important information?

            This article is clickbait as well as misleading

            Comment


              #7
              I'm concerned about the number of noobs that will give up on Linux after trying to install it and being prevented because of the silent failures. Linux will be blamed, of course. It isn't "misleading" if a noobs don't know how to work around the silence.
              We'll just have to agree to disagree.
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #8
                Originally posted by GreyGeek View Post
                We'll just have to agree to disagree.
                :thumbs up: (no smilie for that one)
                Windows no longer obstructs my view.
                Using Kubuntu Linux since March 23, 2007.
                "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                Comment


                  #9
                  sure we disagree that one specific article that seems to purposefully leave out important, relevant info is *better* for newbies (or simply may be outdated, and never updated with better info)?? One that heavily implies that it is not even be possible to install Linux on these types of systems at all, (untrue) is *better* for the Linux-curious?

                  Well, at least it does link to the sources.

                  Comment

                  Working...
                  X