Lenovo Denies Claims It Plotted With Microsoft To Block Linux Installs

Reader kruug writes: Several users noted certain new Lenovo machines' SSDs are locked in a RAID mode, with AHCI removed from the BIOS. Windows is able to see the SSD while in RAID mode due to a proprietary driver, but the SSD is hidden from Linux installations -- for which such a driver is unavailable. Speaking to The Register today, a Lenovo spokesperson claimed the Chinese giant "does not intentionally block customers using other operating systems on its devices and is fully committed to providing Linux certifications and installation guidance on a wide range of products."
Complaints on Lenovo's forums suggest that users have been unable to install GNU/Linux operating systems on models from the Yoga 900S to the Ideapad 710S, with one 19-page thread going into detail about the BIOS issue and users' attempts to work around it.

Link?

[zifnabxar]

Here's the link to the actual story in case anyone was interested in reading it: http://www.theregister.co.uk/2...

Good news for me

[BringsApples]

I'm in the market for a new laptop, so I'll skip all of the Lenovos, and will pass that along to all of my clients. Thanks!

Re:Good news for me

[LVSlushdat]

You're nuts if you even consider Lenovo after the crapstorm they were caught doing on their systems. I spent the last 10 years of my sysadmin career supporting Dell corporate systems and now that I'm retired, thats is ALL I will buy/recommend.. Lenovo/HP/Asus all suck donkey balls.

Re:Good news for me

[TheGratefulNet]

you don't know the whole story.

lenovo is many companies. their business laptop division is nothing like the 'yoga crap' that they sell consumers with crapware.

that said, there are issues you need to know about hp and lenovo (those are the 2 that come to mind). they both lock down the pci-e slot so that you can't install your own wifi mini-pcie card due to a blacklist/whitelist in the bios. I bought a t420s laptop a few years ago since it was what we used at work and they seemed very reliable and repairable, too. only after I tried to install an intel gig-wifi card (ac) did it refuse to boot on me. I did find a hacked bios on one of the forums and it works fine, but I have NO IDEA what is really going on and if there is spyware in that hacked bios due to the 'helpful user' who made the bios hack for me. I really cant be sure what was done to that hacked bios, but at least I do get to use the wifi card I want.

other than that, its been a good laptop, it has been repairable and its built pretty well.

the spyware and phone home stuff does not tend to exist on the business level lappies. business guys would not put up with that, generally; only 'yoga users' (lol, what a name!) would.

so, pick the right model of lenovo and be sure you get the right wifi card from purchase. oh, and I tried BUYING the 'right' wifi card after the sale. impossible to do. no one would sell me one and even lenovo would not. incredible. you have to configure it with the ac wifi you want when you buy it. or, take your chances with hacked bios, which I would not really want to do again.

Re:Good news for me

[Jason+Levine]

I was in the market for a new laptop a few years back. Lenovo had a good deal so I ordered it. They said the laptop would be ready to ship in 2 weeks. A day or so before the 2 week mark, they told me it would be delayed to 2 months. To ship it, mind you. It would take an additional week to actually get the laptop.

I called for an explanation and all they would say was that they were waiting on a shipment of some part. (They wouldn't say what part - just that it was a part.) I said I wanted to cancel the order, but they insisted I couldn't cancel it outright but could request to cancel the order. However, if the laptop shipped before the cancellation request was processed, they told me, I'd be charged for the laptop. I had them submit the form to cancel and ordered a Toshiba.

Luckily, they actually cancelled my order. Meanwhile, my Toshiba laptop was assembled, shipped, and arrived in under 2 weeks - before Lenovo cancelled the order and way before they claimed they would have shipped the laptop. I'd highly recommend steering clear of Lenovo.

Paranoia amongst the minority.

[jellomizer]

Often a minority group thinks it is being persecuted against because the majority doesn't go out of its way to make the minority welcomed.

I expect Lenovo wasn't really actively stopping Linux however they weren't actively trying to make something that Linux will work on either. They were making sure it would work for Windows though.

Re:Paranoia amongst the minority.

[Pentium100]

So you're saying that despite technology changing and different things being tried, two companies that don't care at all about linux didn't go out of their way to ensure compatibility with your essentially niche desire to install an unsupported os on their machines is somehow a conspiracy against you?

And yet, as far as I understand this, they disabled the option to turn off fakeraid in BIOS, an option that is present in all PCs that support fakeraid, including the older laptops. Disabling the option does not make Windows run better, so there had to be another reason for doing it. If the reason is not to screw Linux users, then what was it?

Re:Paranoia amongst the minority.

[jstwinkles]

From a UEFI/BIOS dev standpoint, it's the other way around: Windows' requirements are the minority compared to Linux's requirements. Linux is actually pretty much catered to by default without the software dev having to do anything special to get it to boot. Windows is the picky one, so I have a hard time believing that they didn't know what they were doing when they "accidentally" made it so Linux won't boot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

"Security"

[Fire_Wraith]

Of course they didn't conspire to block Linux installs - it was all about providing security to the user, by preventing anyone from attacking the BIOS and the operating system. The fact that this includes the user, and prevents them from "attacking" the operating system by replacing it, is entirely unintentional - or so they'd have you believe.

Sarcasm aside, there is a lot of security-related motivation in attempts to lock down the BIOS, UEFI, etc. The problem is that much of this also has consequences, and we clearly can't rely on companies to simply keep our best interests at heart on their own - but that should come as a surprise to no one here.

Re:"Security"

I just can't understand why this pointless compelxity is being added to BIOS for "security".

Put in a physical switch hooked to the WE/ (write-enable) or equivalent line of the BIO flash chip. Unit comes with this shipped in the disabled position, with security tape over it to prove it's never been enabled since factory. User can choose to flip the switch in order to load a UEFI user cert or whatever crap is required to install a new OS boot or BIOS update. Flip the switch back when done, presto, "security".

I truly think Microsoft as one of the primary backers pushing UEFI have done it the way they have, precisely in order to have a future ability to pull sh*t like this. It fits totally in with the long-term plans to remove general-purpose computing from users' hands. Otherwise, why the hell wouldn't a simpler system be in place?

Re:"Security"

[mrchaotica]

That's not a solution because it still relies on having someone other than the owner decide what's "allowed" to run on the owner's device.

A real solution would be to have a hardware switch allowing the owner, who has physical access to the machine, to turn the DRM off and replace the master encryption key with one of his own choosing.

Re:so unbelievable its posted twice

Dear god, no. Can you imagine the horror of listening to Haselton explain the flaws in manishs decision process for determining which stories to dupe and how his weighted reader apathy algorithm is better at finding the articles people want to see duped? For fucks sake man, think of the children.

Lenovo dev team working on it

[drnb]

As explained in the slashdot story from 3.5 hours ago ...

A reddit poster offered this, in his link Lenovo says the dev team is working on it:

""[–]0xFFFFFF 89 points 7 hours ago*
Levono is aware of the issue and fixing it: https://forums.lenovo.com/t5/L...
It is on hackernews, where people are being rational and theorizing that this is not microsofts fault. More like best-buy rep doesn't know what he talks about and the SSD doesn't have support drivers in linux kernal.. Or lenova messed up their bios implementation.
Luckily we have the reddit witchhunt in full force, so we can make uninformed rants!
Note: Every single previous similar scenario about linux being locked out has not been microsofts fault, which is why people are sceptical that this is the case this time..
I also have a Signature Edition laptop, it runs linux fine..""
https://www.reddit.com/r/linux...

The Lenovo link has an official post saying:

"Re: Yoga 900-13ISK2 - BIOS update for setting RAID mode for missing hard drive on linux install Options
07-27-2016 10:04 AM
Thank you for confirming it is still not possible to install Linux on Yoga 900-13ISK2 systems.
This issue has been escalated to the Development team. I am unable to offer a timeframe for fix at this stage in the investigation. With previous cases, BIOS fixes have been delivered anywhere from several weeks to several months.
I will post again when I have more information on the investigation."
https://forums.lenovo.com/t5/L...

Re:Lenovo dev team working on it

[Doctor_Jest]

The previous AC is right about one thing. Microsoft is convicted of abusing monopoly power. You contradict yourself. The parent is talking about evidence. Evidence of Microsoft's activities. Simply saying "a Best Buy rep" nullifies this little incident doesn't make the overall picture untrue. I'm not particularly "anti" Microsoft (I have an XBox 360, well I've had 5, thanks MS QA!) but I do know they will do lots of shady shit to get the advantage. It's documented in trial transcripts. It seems your willingness to defend Microsoft has compromised your cognitive ability..... just sayin'.

Re:so unbelievable its posted twice

[Richard_at_work]

This story is a couple of hours after the allegation story, if that story was updated with the denial and explanation now, there would be near zero discussion on the denial and explanation while the outrage about the allegation would stand in full.

That is why something as big as this is due two separate stories when the allegation and denial are that far apart - now go discuss the new "information" on the topic, does it change any viewpoints from the last story? Lets watch and find out.

Smells fishy...

[friesofdoom]

This doesn't fit with the reply (from levono i assume) that the guy in the first story on /. said he got:

When he complained that he was unable to install Linux, the answer he got was: "This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft."

Re:Smells fishy...

[shutdown+-p+now]

The first reply wasn't from a Lenovo representative. It was from a Best Buy "Lenovo product expert".

Re:Never attribute to malice ...

[friesofdoom]

When he complained that he was unable to install Linux, the answer he got was: "This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft."

Re:Linux has history of problems with laptops

[Baloroth]

Rather ironically, the Thinkpad series of laptops from Lenovo have excellent (in my experience) Linux compatibility. Lenovo even publishes compatibility certifications for them. I use Mint on a T450s and it worked nearly-perfectly out of the box (only issue I has is with the touchpad, but I prefer the nub mouse anyways and leave the touchpad disabled most of the time).

BIOS security and Flash

[unixisc]

Former flash memory industry worker here. Flash does not work that way. Write Enable is attached to whatever logic circuitry is there - to be asserted following the sequence of address/data write cycles from the CPU or controller to the flash. Write Enable is a dynamic signal tied to the controlling circuitry and logic - it's not something connected to a switch that can be turned on or off by the system's owner.

What you are thinking about is something called Write Protect - which locks a flash, but this can't be a standard solution, b'cos no 2 vendors implement it the same way. Some lock the entire flash i.e. the entire BIOS. Some lock the entire top few sectors and/or bottom few sectors. Some allow the user to select which sectors are to be locked when Write Protect is asserted. Yet, some flash have no Write Protect pins at all. Motherboard vendors - meaning the Asusteks, Gigabytes, Quantas, Compals, Arimas, et al are always cutting deals w/ the likes of flash vendors for the cheapest flash out there, and their designers are required to have interchangeable parts so that they can pit their suppliers in a price pissing contest w/ each other. Since WP# varies, result is the designers would deliberately either make WP# a no-connect, or tie it high to make sure it's permanently disabled. Thereby defeating your solution.

The whole history of BIOS started w/ it first being on PROM/EPROMs. But then, as motherboards became more advanced and in-system re-programmability became necessary, flash memory started replacing them. Usually, it would lock the 'boot blocks' of the flash - meaning either the top few or bottom few sectors, depending on where the boot code of the OS was supposed to reside. However, the rest of the flash was still exposed and vulnerable to being corrupted, which is why the UEFI and the Core Boot conventions were developed.

The real solution to this whole boot thing is the respective projects - be it GRUB or Linux or BSD - coming out w/ a comprehensive solution to UEFI. I know that FreeBSD has come some way in that, but still doesn't allow it such that I can set UEFI protection while still booting from an USB drive (which is how TrueOS wants to distribute the OS). That would help a lot more than playing footsie w/ the default settings of the PC.

Re:Never attribute to malice ...

[iris-n]

If the issue was only that Linux lacked drivers for their SSD configuration that wouldn't be a problem (even though a bit of a dick move from their side). The problem is that there was BIOS setting to change the configuration from RAID to AHCI, but this setting was locked down. The person had to go through some pretty heroic lengths to unlock it.

Not having a Linux driver? That's explainable by stupidity.
Not having a legacy compatibility mode? Could have been explained by stupidity if it were the case.
Having a legacy compatibility mode, but making it inaccessible without a soldering iron? That's just malice.

And frankly, if the company is even considering locking down the BIOS like this, it shows that they have a very weird idea about who owns the damn laptop, and they're never getting my money.

Re:Linux has history of problems with laptops

[MSG]

Depends on the model. The second generation Thinkpad X1 Carbon didn't work with Linux *at all*.

If you want a Linux laptop, look for someone who actually supports Linux on the laptop. Dell has a few, including their XPS 13 developer edition. Purism's Librem laptops are a little more expensive, but specifically built for Linux. There are a handful of other vendors that primarily support Linux.

Lenovo has been hit-and-miss for a while now, and this isn't showing much that's recent:
https://support.lenovo.com/us/...

Business Laptops

[DrYak]

you don't know the whole story.

lenovo is many companies. their business laptop division is nothing like the 'yoga crap' that they sell consumers with crapware.

You mean the Thinkpad line that they acquired from IBM ? Yes, that one is an entirely different kind of beast.

- The good thing is that they are very easy to repair. (In addition to being very sturdy)
    Whereas with some other constructors you can find two laptops that have the same official name, but different internals, to the point that their customer service actually asks you to give part of the serial number instead (HP, I'm looking at you...)
  With Thinkpads, it's actually the opposite: plenty of different models share common parts (e.g.: the keyboard is usually the same across lots of models).
- The bad thing is all the BIOS / Firmware weirdness. Older laptops I've seen didn't have a full BIOS Setup. Only a couple of basic stuff could be change from the setup. Most of the settings where handled by DOS tools (like settings IO Ports and IRQs).
And the whole black/white list fiascos date back from IBM time - they "had to protect their business", i.e.: make sure you could only buy mini-PCI cards from their (expensive) shop, instead of any compatible after-market 3rd party part.

the spyware and phone home stuff does not tend to exist on the business level lappies. business guys would not put up with that

One of the main reason is that upon buying new equipment, the IT department of most business tends to reinstall a whole new OS from scratch (usually combined with all the necessary crypto-layers, remote-access tools, etc.)
So trying to pre-install any crap on a business laptop is futile... ..unless you manage to get it running on the "Intel ME" (The "lights-out" management engine from Intel : a separate low-power core that runs a small webserver that enables the IT department to do remote management on any corporate workstation or laptop, even when the main CPU is shut down, as long as the device is connected some how to the corporate network) or "IPMI" (the industry standard for the same functionnality used by anyone else beside Intel).
This firmware is currently NOT open, and can't be installed by anyone. It only comes together with the BIOS/EFI upgrades.
And researchers has already found tons of vulnerabilities in these firmwares. To the point that you don't actually need a real backdoor/spyware to spy on users, you just need to abuse one of the multiple exploit in the wild.

Current best practice :
- for servers : keep the management on a separate private network.
- for laptops : just kill the function, and ask the user to physically bring the laptop whenever you have maintenance to do. The remote access isn't worth the security risk.

Re:Never attribute to malice ...

[thegarbz]

I see you've never talked to a customer service person before so let me give you a quick primer:

a) they don't know what they are talking about.
b) they don't know what you're talking about.
c) they will say anything that sounds fancy to say that their product should work an you're using it wrong.

Now the other answer we got from higher up is that Lenovo is working on a BIOS update have given a time frame from a couple of weeks to a few months. But really all of this is beside the point since the reason the laptop can't run Linux has nothing to do with Lenovo, a BIOS setting, or anything, but rather that Intel haven't provided an easy working driver for their chipset to work in FakeRAID under Linux. This goes years back. Just look at the multi-page how-tos and screw arounds that people have used to get it working.

If Intel provided proper drivers then Linux would run regardless of the BIOS setting.

Re:Never attribute to malice ...

[strikethree]

The person had to go through some pretty heroic lengths http://imgur.com/a/ox4Ey to unlock it.

Now THAT was hacking. This is the EXACT definition of hacking. Thank you for linking that.