Microsoft Pluton: Security chip doesn't let Linux on the Lenovo Z13 and Z16


As found out by programmer Matthew Garrett, who has won multiple FSF Free Software awards from the Free Software Foundation (FSF) for his work on Secure Boot, UEFI, and Linux , the security processor Microsoft Pluton blocks the installation of Linux on the Lenovo ThinkPad Z13 and Z16.

Pluton and Secure Boot lock Linux out< /h2>

As the Phoronix website, which specializes in Linux and open source, first reported, Matthew Garrett, Information Security Architect for the free operating system kernel Linux, has succeeded in designing a Lenovo ThinkPad Z13 in to get hands. He found that Linux cannot be started or installed from a storage medium connected via USB.

Pluton with chip-to-cloud architecture (Image: Microsoft)

In the standard configuration, i.e. the delivery state of the notebook, the security processor that can be integrated into CPUs from AMD, Intel and Qualcomm prevents Linux from starting and only allows Windows to boot. The ThinkPad Z13 tested by the developer uses an AMD Ryzen 7 Pro 6860Z with an integrated Pluton processor.

No security advantages from the blockade

Following his observations, Matthew Garrett aka “mjg59” complains that locking out free operating systems does not generate any security benefits.

This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt.

There's no security benefit to this. If you want security here you're paying attention to the values ​​measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets.

It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems.

Matthew Garrett, Information Security Architect

The programmer goes into more detail about his discoveries in his journal and would like to publish further information there in the future.

For the first time Windows only at Lenovo

Initial investigations by the Linux expert revealed that Microsoft Pluton due to Secure Boot is factory set up so that the security processor only accepts the Windows boot loader and driver and refuses to run anything other than Windows.

The Linux kernel and distributions based on it use the so-called Microsoft 3rd Party UEFI Certificates Authority (CA) for Secure Boot; these are therefore rejected by Pluton. Matthew Garrett writes about this in his blog:

I finally managed to get hold of a Thinkpad Z13 to examine a functional implementation of Microsoft's Pluton security co-processor. Trying to boot Linux from a USB stick failed out of the box for no obvious reason, but after further examination the cause became clear – the firmware defaults to not trusting bootloaders or drivers signed with the Microsoft 3rd Party UEFI CA key.

Matthew Garrett, Information Security Architect

With the ThinkPad Z13 and Z16, Lenovo is offering Windows-Only notebooks in the delivery state for the first time and confirms in an official document (PDF) that Microsoft 3rd party UEFI certificates will not be accepted ex works in the future and will only be released after an intervention in the BIOS have to. Finally, it is then possible to boot Linux – a measure that also causes little understanding for the discoverer.

Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default. This means that for any of these Lenovo platforms shipped with Windows preinstalled an extra step is needed to allow Linux to boot with secure boot enabled.


That took care of it Matthew Garrett was also amazed, because as recently as January, Lenovo explained that Pluton should be deactivated ex works and should only be activated at the user's request, as the Neowin website reported at the time.

Pluton will be disabled by default on 2022 Lenovo ThinkPad platforms. Specifically the Z13, Z16, T14, T16, T14s, P16s and X13 using AMD 6000-series processors. Customers will have the ability to enable Pluton themselves.


Why Pluton is suddenly activated at the factory and why the security processor has to install Linux blocked is not yet known. The security industry was already rather critical when the security chip for the PC, which has been used in the Xbox since 2013, was presented, as ComputerBase also reported.