Lenovo Denies Claims It Plotted With Microsoft To Block Linux Installs

Reader kruug writes: Several users noted certain new Lenovo machines' SSDs are locked in a RAID mode, with AHCI removed from the BIOS. Windows is able to see the SSD while in RAID mode due to a proprietary driver, but the SSD is hidden from Linux installations -- for which such a driver is unavailable. Speaking to The Register today, a Lenovo spokesperson claimed the Chinese giant "does not intentionally block customers using other operating systems on its devices and is fully committed to providing Linux certifications and installation guidance on a wide range of products."
Complaints on Lenovo's forums suggest that users have been unable to install GNU/Linux operating systems on models from the Yoga 900S to the Ideapad 710S, with one 19-page thread going into detail about the BIOS issue and users' attempts to work around it.

Link?

[zifnabxar]

Here's the link to the actual story in case anyone was interested in reading it: http://www.theregister.co.uk/2...

Lenovo dev team working on it

[drnb]

As explained in the slashdot story from 3.5 hours ago ...

A reddit poster offered this, in his link Lenovo says the dev team is working on it:

""[–]0xFFFFFF 89 points 7 hours ago*
Levono is aware of the issue and fixing it: https://forums.lenovo.com/t5/L...
It is on hackernews, where people are being rational and theorizing that this is not microsofts fault. More like best-buy rep doesn't know what he talks about and the SSD doesn't have support drivers in linux kernal.. Or lenova messed up their bios implementation.
Luckily we have the reddit witchhunt in full force, so we can make uninformed rants!
Note: Every single previous similar scenario about linux being locked out has not been microsofts fault, which is why people are sceptical that this is the case this time..
I also have a Signature Edition laptop, it runs linux fine..""
https://www.reddit.com/r/linux...

The Lenovo link has an official post saying:

"Re: Yoga 900-13ISK2 - BIOS update for setting RAID mode for missing hard drive on linux install Options
07-27-2016 10:04 AM
Thank you for confirming it is still not possible to install Linux on Yoga 900-13ISK2 systems.
This issue has been escalated to the Development team. I am unable to offer a timeframe for fix at this stage in the investigation. With previous cases, BIOS fixes have been delivered anywhere from several weeks to several months.
I will post again when I have more information on the investigation."
https://forums.lenovo.com/t5/L...

Re:Never attribute to malice ...

[friesofdoom]

When he complained that he was unable to install Linux, the answer he got was: "This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft."

Re:Good news for me

[TheGratefulNet]

you don't know the whole story.

lenovo is many companies. their business laptop division is nothing like the 'yoga crap' that they sell consumers with crapware.

that said, there are issues you need to know about hp and lenovo (those are the 2 that come to mind). they both lock down the pci-e slot so that you can't install your own wifi mini-pcie card due to a blacklist/whitelist in the bios. I bought a t420s laptop a few years ago since it was what we used at work and they seemed very reliable and repairable, too. only after I tried to install an intel gig-wifi card (ac) did it refuse to boot on me. I did find a hacked bios on one of the forums and it works fine, but I have NO IDEA what is really going on and if there is spyware in that hacked bios due to the 'helpful user' who made the bios hack for me. I really cant be sure what was done to that hacked bios, but at least I do get to use the wifi card I want.

other than that, its been a good laptop, it has been repairable and its built pretty well.

the spyware and phone home stuff does not tend to exist on the business level lappies. business guys would not put up with that, generally; only 'yoga users' (lol, what a name!) would.

so, pick the right model of lenovo and be sure you get the right wifi card from purchase. oh, and I tried BUYING the 'right' wifi card after the sale. impossible to do. no one would sell me one and even lenovo would not. incredible. you have to configure it with the ac wifi you want when you buy it. or, take your chances with hacked bios, which I would not really want to do again.

Re:Good news for me

[Jason+Levine]

I was in the market for a new laptop a few years back. Lenovo had a good deal so I ordered it. They said the laptop would be ready to ship in 2 weeks. A day or so before the 2 week mark, they told me it would be delayed to 2 months. To ship it, mind you. It would take an additional week to actually get the laptop.

I called for an explanation and all they would say was that they were waiting on a shipment of some part. (They wouldn't say what part - just that it was a part.) I said I wanted to cancel the order, but they insisted I couldn't cancel it outright but could request to cancel the order. However, if the laptop shipped before the cancellation request was processed, they told me, I'd be charged for the laptop. I had them submit the form to cancel and ordered a Toshiba.

Luckily, they actually cancelled my order. Meanwhile, my Toshiba laptop was assembled, shipped, and arrived in under 2 weeks - before Lenovo cancelled the order and way before they claimed they would have shipped the laptop. I'd highly recommend steering clear of Lenovo.

BIOS security and Flash

[unixisc]

Former flash memory industry worker here. Flash does not work that way. Write Enable is attached to whatever logic circuitry is there - to be asserted following the sequence of address/data write cycles from the CPU or controller to the flash. Write Enable is a dynamic signal tied to the controlling circuitry and logic - it's not something connected to a switch that can be turned on or off by the system's owner.

What you are thinking about is something called Write Protect - which locks a flash, but this can't be a standard solution, b'cos no 2 vendors implement it the same way. Some lock the entire flash i.e. the entire BIOS. Some lock the entire top few sectors and/or bottom few sectors. Some allow the user to select which sectors are to be locked when Write Protect is asserted. Yet, some flash have no Write Protect pins at all. Motherboard vendors - meaning the Asusteks, Gigabytes, Quantas, Compals, Arimas, et al are always cutting deals w/ the likes of flash vendors for the cheapest flash out there, and their designers are required to have interchangeable parts so that they can pit their suppliers in a price pissing contest w/ each other. Since WP# varies, result is the designers would deliberately either make WP# a no-connect, or tie it high to make sure it's permanently disabled. Thereby defeating your solution.

The whole history of BIOS started w/ it first being on PROM/EPROMs. But then, as motherboards became more advanced and in-system re-programmability became necessary, flash memory started replacing them. Usually, it would lock the 'boot blocks' of the flash - meaning either the top few or bottom few sectors, depending on where the boot code of the OS was supposed to reside. However, the rest of the flash was still exposed and vulnerable to being corrupted, which is why the UEFI and the Core Boot conventions were developed.

The real solution to this whole boot thing is the respective projects - be it GRUB or Linux or BSD - coming out w/ a comprehensive solution to UEFI. I know that FreeBSD has come some way in that, but still doesn't allow it such that I can set UEFI protection while still booting from an USB drive (which is how TrueOS wants to distribute the OS). That would help a lot more than playing footsie w/ the default settings of the PC.

Business Laptops

[DrYak]

you don't know the whole story.

lenovo is many companies. their business laptop division is nothing like the 'yoga crap' that they sell consumers with crapware.

You mean the Thinkpad line that they acquired from IBM ? Yes, that one is an entirely different kind of beast.

- The good thing is that they are very easy to repair. (In addition to being very sturdy)
    Whereas with some other constructors you can find two laptops that have the same official name, but different internals, to the point that their customer service actually asks you to give part of the serial number instead (HP, I'm looking at you...)
  With Thinkpads, it's actually the opposite: plenty of different models share common parts (e.g.: the keyboard is usually the same across lots of models).
- The bad thing is all the BIOS / Firmware weirdness. Older laptops I've seen didn't have a full BIOS Setup. Only a couple of basic stuff could be change from the setup. Most of the settings where handled by DOS tools (like settings IO Ports and IRQs).
And the whole black/white list fiascos date back from IBM time - they "had to protect their business", i.e.: make sure you could only buy mini-PCI cards from their (expensive) shop, instead of any compatible after-market 3rd party part.

the spyware and phone home stuff does not tend to exist on the business level lappies. business guys would not put up with that

One of the main reason is that upon buying new equipment, the IT department of most business tends to reinstall a whole new OS from scratch (usually combined with all the necessary crypto-layers, remote-access tools, etc.)
So trying to pre-install any crap on a business laptop is futile... ..unless you manage to get it running on the "Intel ME" (The "lights-out" management engine from Intel : a separate low-power core that runs a small webserver that enables the IT department to do remote management on any corporate workstation or laptop, even when the main CPU is shut down, as long as the device is connected some how to the corporate network) or "IPMI" (the industry standard for the same functionnality used by anyone else beside Intel).
This firmware is currently NOT open, and can't be installed by anyone. It only comes together with the BIOS/EFI upgrades.
And researchers has already found tons of vulnerabilities in these firmwares. To the point that you don't actually need a real backdoor/spyware to spy on users, you just need to abuse one of the multiple exploit in the wild.

Current best practice :
- for servers : keep the management on a separate private network.
- for laptops : just kill the function, and ask the user to physically bring the laptop whenever you have maintenance to do. The remote access isn't worth the security risk.

Re:Smells fishy...

[shutdown+-p+now]

The first reply wasn't from a Lenovo representative. It was from a Best Buy "Lenovo product expert".