Lenovo UEFI Bug Only Likes Windows and RHEL

← Back to Stories (view on slashdot.org)

Lenovo UEFI Bug Only Likes Windows and RHEL

Posted by Soulskill on Friday November 16, 2012 @02:30AM from the you-didn't-think-this-through dept.

New submitter Nagilum23 writes "It looks like Lenovo only knows of Windows and RHEL where their Thinkcentre M92p desktop is concerned. While investigating UEFI boot issues, Matthew Garrett found the PC's firmware actually checks the descriptive string for the operating system, and will prevent unlisted operating systems from booting. Garrett writes, 'Every UEFI boot entry has a descriptive string. This is used by the firmware when it's presenting a menu to users - instead of "Hard drive 0" and "USB drive 3", the firmware can list "Windows Boot Manager" and "Fedora Linux". There's no reason at all for the firmware to be parsing these strings. ... there is a function that compares the descriptive string against "Windows Boot Manager" and appears to return an error if it doesn't match. What's stranger is that it also checks for "Red Hat Enterprise Linux" and lets that one work as well. ... This is, obviously, bizarre. A vendor appears to have actually written additional code to check whether an OS claims to be Windows before it'll let it boot. Someone then presumably tested booting RHEL on it and discovered that it didn't work. Rather than take out that check, they then addded another check to let RHEL boot as well." Note that this isn't a SecureBoot issue. Lenovo is aware of the problem and looking into it.

46 of 162 comments (clear)

Min score:

Reason:

Sort:

How easy is it to spoof the string? by Anonymous Coward · 2012-11-16 02:35 · Score: 2, Insightful

... my guess would be VERY. No problem here for haxors. For the rest of us, just don't buy this crap.
Bug? by Anonymous Coward · 2012-11-16 02:36 · Score: 5, Insightful

You keep using that word. I don't think it means what you think it means.
It's not a bug if it's by design, and this is clearly intended behavior.
1. Re:Bug? by Anonymous Coward · 2012-11-16 03:05 · Score: 5, Interesting
  
  You're making assumptions about what the intended behavior was. I think it unlikely that they intended to make the machine unbootable for anything other than Windows and RHEL. The bug (yes, bug) probably began with a hack to work around some windows issue that broke booting for anything else. Then, because they maybe only test with windows and rhel, some moron "fixed" the bug by adding a check for RHEL.
2. Re:Bug? by halltk1983 · 2012-11-16 03:12 · Score: 5, Interesting
  
  Packard Bell used to do this back in 95. I had a system that specifically would not boot anything but Windows. I spent months trying to get it to run linux. It would not boot anything but windows off the drive. Found out years later that there was a check it did for what was booting.
  
  --
  Watch for Penguins, they eat Apples and throw rocks at Windows.
3. Re:Bug? by gmuslera · 2012-11-16 03:15 · Score: 2
  
  Is a meatware bug, not a software one
4. Re:Bug? by Pinhedd · 2012-11-16 06:16 · Score: 2
  
  Never attribute to malice that which can adequately be attributed to stupidity.
  Corollary: Any sufficiently shocking display of stupidity is indistinguishable from malice
5. Re:Bug? by KiloByte · 2012-11-16 08:52 · Score: 3, Insightful
  
  Never attribute to malice that which can adequately be attributed to stupidity.
  I guess you haven't seen enough of Microsoft's actions, who are doing their utmost to disprove Hanlon's razor.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
6. Re:Bug? by theCoder · 2012-11-16 10:11 · Score: 2
  
  Just for the record, my family had a Packard Bell that ran Mandrake Linux extremely reliably for many years. Though from listening to other people complain about Packard Bells online, I guess we got the only good one they ever made :)
  
  --
  "Save the whales, feed the hungry, free the mallocs" -- author unknown
Well... by Anonymous Coward · 2012-11-16 02:37 · Score: 2, Informative

Never ascribe to malice what can be explained by Microsoft getting desperate.
1. Re:Well... by ByOhTek · 2012-11-16 02:45 · Score: 4, Interesting
  
  Given that RHEL is probably their biggest competator that move could be considered a counter to - I would say you need to put down your anti-ms tinfoil hat, your brain is overheating.
  It's probably a support engineer related decision - "We don't want to have to deal with questions/complaints regarding unsupported operating systems that have gotten installed... so we'll prevent them from being installed."
  Neither malice or ms-induced maice, but rather just an idiotic solution to an annoying issue that they probably have to periodically deal with.
  Glad I don't buy Lenovo. I tend to prefer FreeBSD and Hackintosh'ed as my non MS OS.
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
2. Re:Well... by guruevi · 2012-11-16 03:37 · Score: 2
  
  Are you talking about RHEL or Windows? Because I know Linux can support 16TB de-duplicated volumes for a variety of file systems. Windows however is the one who can't support anything.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
3. Re:Well... by psmears · 2012-11-16 03:39 · Score: 2
  
  Errrrr, no. For one thing this actually takes effort which hardware manufacturers are not prone to actually putting in, for another I didn't think they give a crap about supporting any Linux operating systems
  Actually Lenovo are often pretty good about supporting Linux - e.g. they provide information and often drivers and support. I don't think the M92p is a model for which they do this though.
  
  --
  Need to type accents and special characters in Windows? Use FrKeys
are you serious? by v1 · 2012-11-16 02:38 · Score: 5, Insightful

I don't see how you can consider this a "bug"? You don't just "accidentally test a string for a specific value". This is clearly intentional operation, not a bug.

--
I work for the Department of Redundancy Department.
1. Re:are you serious? by rsmith-mac · 2012-11-16 02:51 · Score: 5, Insightful
  
  Bug is probably the wrong term here. I think "hilariously bad design decision" is a more apt description. Clearly someone didn't think this all the way through.
2. Re:are you serious? by gl4ss · 2012-11-16 03:03 · Score: 2
  
  sure they did think it.
  the testing checklist included booting on rhel and windows and that's what it boots on - and presumably testing that some os without a signature doesn't boot. never mind it actually being secure or anything, because surely nobody would lie in their descriptive string right?
  can't believe the engineers thought that they would actually ship this though..
  
  --
  world was created 5 seconds before this post as it is.
3. Re:are you serious? by tibit · 2012-11-16 03:21 · Score: 2, Insightful
  
  Man, if you only knew what ships out there...
  
  --
  A successful API design takes a mixture of software design and pedagogy.
4. Re:are you serious? by bill_mcgonigle · 2012-11-16 06:32 · Score: 3, Interesting
  
  Clearly someone didn't think this all the way through.
  or possibly: somebody merged a diff early. Microsoft gets control of UEFI, RHAT buys a license, and on Day-Zero all new Windows OEM machines ship with UEFI string checkers that only boot Windows or RHEL (without string 'hacks' - possible legal claims over fraud, +- DMCA interoperability claims).
  Nah, could never happen.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
That's just great by Attila+Dimedici · 2012-11-16 02:40 · Score: 2

That's a great idea. Someone who wrote a virus to boot before the OS would never think to tell UEFI that it was the Windows Boot Manager. /s

--
The truth is that all men having power ought to be mistrusted. James Madison
1. Re:That's just great by ledow · 2012-11-16 02:48 · Score: 5, Informative
  
  It's nothing to do with Secure Boot, just dodgy BIOS-writing again.
  From TFS: "There's no reason at all for the firmware to be parsing these strings."
  This is basically on a par with Windows 3.1 looking for MS-DOS signatures and refusing to boot otherwise (though that had an illegally anticompetitive reason), with BIOS's like the one I just forced an update from my supplier for (by threatening to return a significant number of laptops) which consisted of a BIOS checking for a certain value on disk being 00 before it would boot from that disk (a value which corresponds to 00 only on unencrypted Windows NTFS-formatted disks) and refusing to boot Truecrypt'd disks or anything with a non-NTFS primary partition (very common on certain HP and Dell models, that particular "bug"), and the like of which I've seen DOZENS of times in my own purchases because of:
  STUPID BIOS WRITERS.
  There is no reason to ever test that string, and certainly none to use it as a conditional to boot. It has nothing to do with any advertised UEFI feature whatsoever. The fact that the UEFI code even bothers to interrogate that string for anything other than displaying it to the user tells you that the manufacturer doesn't care about, and doesn't test, anything but Windows to the point they will hard-core their machines to only run Windows. They don't care about UEFI at all, or secure booting, or anything - just that it works when they run Windows.
  Makes you kinda wonder who would ultimately be behind putting such an unnecessary and counter-productive decision into a machine's BIOS really.
2. Re:That's just great by tibit · 2012-11-16 03:23 · Score: 4, Interesting
  
  Most likely: the firmware is outsourced, and the outsources implements it to the letter, without applying any thinking.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
3. Re:That's just great by mlts · 2012-11-16 03:31 · Score: 2
  
  I was looking at a heavily discounted HP box on sale, and the one review of the model on Amazon stated exactly this -- it only booted Windows and nothing else.
  If PC makers sell boxes that only boot Windows, they need to both put a warning that functionality has been deliberately limited/crippled, and give the customer a steep discount for shipping equipment that deliberately only functions in a limited context.
  This isn't a knock against MS... if a PC is limited to any OS, that is a deliberate de-functioning of the hardware and should be labeled and warned about.
4. Re:That's just great by Hatta · 2012-11-16 04:29 · Score: 3, Insightful
  
  The fact that the UEFI code even bothers to interrogate that string for anything other than displaying it to the user tells you that the manufacturer doesn't care about, and doesn't test, anything but Windows to the point they will hard-core their machines to only run Windows. They don't care about UEFI at all, or secure booting, or anything - just that it works when they run Windows.
  Makes you kinda wonder who would ultimately be behind putting such an unnecessary and counter-productive decision into a machine's BIOS really.
  And people don't believe me when I tell them that OEMs will chomp at the bit to lock people out of other OSs with secure boot when MS finally flips the switch. They already care about nothing but Windows.
  
  --
  Give me Classic Slashdot or give me death!
The apple has fallen quite far from the tree by Anonymous Coward · 2012-11-16 02:44 · Score: 3, Insightful

I used to like IBM and Lenovo computers. But his offends me.
1. Re:The apple has fallen quite far from the tree by ByOhTek · 2012-11-16 03:17 · Score: 2
  
  Since I've no mod points, and couldn't mod this topic anyway... Seconded.
  Manufacturers shouldn't be able to tell the users of their hardware what software can be used on their hardware. At most, they should say "there are known issues of this software potentially physical damage." And if I got that, I'd probably reply with "The 80s/early 90s called, they want their computer problems back."
  Shrug, plenty of other good hardware vendors out there. Though for a desktop, I've never understood not building your own, if you've got the skill and aren't in a business setting.
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
here, breath into this bag. by markhahn · 2012-11-16 02:47 · Score: 2

if it must frob for strings, let's all just agree to put "grub" in there.
Re:Testing the water? by Alex+Belits · 2012-11-16 02:54 · Score: 3, Interesting

Then all Linux distributions, plus EFF, should sue Lenovo, if for no other reason then just to show how much everyone cares. I would contribute to that if necessary.

--
Contrary to the popular belief, there indeed is no God.
fixing what isn't broken by bored · 2012-11-16 02:54 · Score: 4, Insightful

UEFI is pretty much a case of fixing what isn't broken, yet with any software project its bound to have bugs in the first few iterations.
And, oh boy does it. name brand motherboards that brick when flashed, systems that don't power off correctly, systems that take minutes to post, the usual issues with incorrect ACPI table entries, the list goes on.
Basically, its replacing one fairly stable code base, that the motherboard vendors often got wrong, with a completely new untested one that is 10x as complicated. You do the math.
Linus had another rant about it recently called "The abomination called EFI".
BTW: Gigabyte has a number of traditional motherboards that can boot GPT partitions, effectively removing the _ONE_ useful new feature in EFI.
1. Re:fixing what isn't broken by Cassini2 · 2012-11-16 03:30 · Score: 4, Informative
  
  Clicky: Linus on "The abomination called EFI."
2. Re:fixing what isn't broken by Microlith · 2012-11-16 04:04 · Score: 2
  
  UEFI is pretty much a case of fixing what isn't broken
  Only because they decided to create something entirely new instead of switching to OpenFirmware. The 16-bit limitations on the BIOS are ridiculous in this day and age and moving to a new interface that ditches the ridiculous constraints imposed by the 8086 more than 30 years ago is a good thing.
  
  name brand motherboards that brick when flashed, systems that don't power off correctly, systems that take minutes to post, the usual issues with incorrect ACPI table entries
  Link? My experience with UEFI on desktop boards is they post extremely quickly. And the usual issues with ACPI entries isn't exactly the fault of UEFI, now is it.
  The funny thing is that both Dell and Lenovo use Phoenix Technologies for their UEFI BIOSes, but Dell's platforms have never had trouble booting any OS via UEFI. Which means that Lenovo went very far out of their way to pull this shit off, and they should be attacked vocally for it.
3. Re:fixing what isn't broken by bored · 2012-11-16 07:25 · Score: 2
  
  he 16-bit limitations on the BIOS are ridiculous in this day and age and moving to a new interface that ditches the ridiculous constraints imposed by the 8086 more than 30 years ago is a good thing.
  No one really gives a crap what the bios runs in, you site OpenFirmware which is another example of old crufty stuff. I should know as I worked professionally on it for a while. 16bit-x86 is a better firmware environment than forth. Let me site one of many examples of why openfirmware sucks worse than nearly any other choice. Interrupts, how do you hook/handle an interrupt in an open firmware option ROM? Yah, that is right, you don't.
  At a minimum, all the BIOS needs to do, is init the motherboard hardware, provide a method to describe the hardware to the OS, find a boot device and jump to code provided by it. If you want to see a more reasonable/minimalist BIOS replacement look at U-Boot. Funny thing is that its quite possible there are more u-boot machines than their are EFI ones because u-boot is pretty much the standard for booting devices which aren't x86 PCs. In fact I happen to know that a huge number of the x86 UEFI servers out there actually have u-boot running on their service processors. So its good enough for the machine hardware, just not good enough to present to the user.
TPM is the worst by TubeSteak · 2012-11-16 03:01 · Score: 4, Interesting

Because I'm lazy, I'll just copy and paste a comment I made in another thread about TPM
Ever since TPM was created, we're always just a few bits and bytes away from having it leveraged against us, by them.
And by "us" I mean "the computer users."
By "them" I mean "the hardware manufacturers and software/media companies."
Example: The newest motherboards don't *need* the ability to disable trusted boot. Heck, it'd have been easier to not include it!
We're more or less at the mercy of a small number of companies and their design decisions.
I recently found out, while looking at new laptops, that Lenovo & HP like to put whitelists of wireless cards into the BIOS.
Someone hacked the BIOS and other cards will work, but for whatever reason, Lenovo/HP doesn't want you to use a storebought card.

--
[Fuck Beta]
o0t!
1. Re:TPM is the worst by SecurityGuy · 2012-11-16 03:22 · Score: 4, Insightful
  
  It's not a mystery, but it is inappropriate. Drives me nuts when companies pull this. If I buy your PC, I expect it to work and support all the standards you claim it does. That includes attaching other hardware that adheres to the same standards. I appreciate that there's a dicey issue in there of determining who is at fault when something doesn't work, but that doesn't justify artificially forcing a bunch of hardware not to work. When you do that, YOU are the problem by definition, as you are the party causing it not to work.
2. Re:TPM is the worst by CanHasDIY · 2012-11-16 03:26 · Score: 3, Insightful
  
  ... whatever reason, Lenovo/HP doesn't want you to use a storebought card.
  Warranty and support. There isn't any real mystery there..unless you are a dimwit. Are you a dimwit?
  YEA! Like how GM and Ford have locked-out the ability to replace the factory-approved air filter with a K&N, because they don't want to "warranty and support" the aftermarket parts!
  
  Stupid prick.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
3. Re:TPM is the worst by Minwee · 2012-11-16 06:11 · Score: 3, Informative
  
  Like how GM and Ford have locked-out the ability to replace the factory-approved air filter with a K&N, because they don't want to "warranty and support" the aftermarket parts!
  *cough* And we know they never tried anything like that because if they had, then there would be something like a Magnuson-Moss Warranty Act, which would clearly state that companies like GM and Ford could not prevent customers from using aftermarket parts.
  
  Stupid prick.
  There's no need to sign your post at the end. We can all see who you are by looking at the header.
4. Re:TPM is the worst by bored · 2012-11-16 07:44 · Score: 2
  
  I've caught HP x86 servers doing the same thing with video cards. I wanted to run a PCIe video board not sold by HP. It simply failed, the BIOS refused to init it, and removed its parent bridge from the device list passed to the OS.
Re:Testing the water? by jonbryce · 2012-11-16 03:02 · Score: 2

How many of them will notice when it refuses the "Windows 9" boot string, or someone in their home country notices that it refuses a string with Chinese characters in it.
RHEL by Andrewkov · 2012-11-16 03:09 · Score: 2

As despicable as this is, on the other hand, it sort of implies that RHEL is certified to work with this machine.
Re:Disruptive Tech by tepples · 2012-11-16 03:40 · Score: 2

let MS kill the PC.

there will always be other new hardware.
After PCs die, what hardware will remain that is 1. sold in U.S. stores with showrooms, and 2. not enforcing a walled garden against a machine owner's will like an iPad or game console?
Re:I doubt this was entirely intentional by ArhcAngel · 2012-11-16 04:02 · Score: 5, Informative

As a user of ThinkPads for nearly as long I have a TP I cannot install a miniPCI wireless upgrade into without hacking my system because it is not an approved part for my specific ThinkPad. Even a miniPCI from another ThinkPad won't always work.

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Re:But they don't advertise those standards... by Hatta · 2012-11-16 04:31 · Score: 2, Interesting

They don't advertise miniPCI slots as available on the system.
That doesn't make deliberately crippling the slots in order to sell more proprietary hardware any better. I don't care if they advertise it or not. It is a mini-PCI slot and they are deliberately breaking it. They're assholes.

--
Give me Classic Slashdot or give me death!
Re:I doubt this was entirely intentional by X0563511 · 2012-11-16 05:07 · Score: 5, Informative

There is a reason for this:
The mini-PCI card is just the radio. The antenna is in the rest of the laptop (usually around the screen). The FCC only certifies them for certain radio+antenna pairings, and so they cannot get certification if they don't put in some mechanism to stop you from using uncertified pairings.
It's stupid yes, but the idea behind the policy is to allow the sale of high-power radios while keeping it within exposure limits. (the reason being is the same power going into an omnidirectional antenna safely can not only exceed but blow-out-of-the-water the exposure limits if put into a directional antenna. think bulb vs laser)

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Obviously needs to use a sophisticated system by kallisti · 2012-11-16 05:24 · Score: 3, Funny

As seen here,
http://www.csis.pace.edu/~bergin/patterns/ppoop.html
This whole issue could have been avoided if the developers didn't use the "Hacker Solution", but instead... well, read the paper.
Re:I doubt this was entirely intentional by X0563511 · 2012-11-16 07:49 · Score: 2

My point was there is some enforced limitation as a means of butt-covering, rather than just being jerks. Lenovo (or Dell or whoever) doesn't want to risk being dragged into anything (since the antenna is theirs) so they just lock you out.
You're right about the directionality, but there's another bit to consider: how much energy can that antenna support? If it can only support 200mw and you try pushing 1w into it, it could very well pose a fire hazard.
Still, really they should just bugger off and leave it to the user to be responsible. They are doing more than they need to by locking you out.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:I doubt this was entirely intentional by sjames · 2012-11-16 09:21 · Score: 2

I am simply not buying what you're selling, ham or not. We're talking 800mW, not 800 Watts here (and at that, 800mW cards are rare. 100 and 50 mW is common). That is 0.8 Watts MAX. I have no doubt that bad things can happen to ham gear at hundreds or thousands of watts if you use the wrong antenna, but this is low powered ISM stuff here. Nothing bad happens if the antenna is disconnected entirely. Nothing bad happens if you connect/dis-connect the antenna while the transmitter is on. Nothing bad happens if you connect a random bit of wire you found in your desk as an antenna. Nothing bad happens if you lick the antenna terminal. Other vendors don't seem to have any of these worries. The power supply connector is far more dangerous.
There comes a point where CYA is indistinguishable from malice. So yes, they really are just being butt-heads.
Note that by bad, I mean other than you may not have connectivity.
Re:I doubt this was entirely intentional by X0563511 · 2012-11-16 09:38 · Score: 2

Sure, all of the studying I needed to do to get my own license. That's how these sorts of things work. I may be wrong, but I think you need to provide proof of that to me, not the other way around.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:Testing the water? by EdZ · 2012-11-16 14:50 · Score: 2

If they tried this by locking Secure Boot, they'd get an angry letter from Microsoft. It's a requirement for Windows 8 certification that the end user can add their own keys to Secure Boot.