Bizarre Lenovo UEFI behavour (hopefully not on all models)

I stumbled across these two links on the UEFI implementation in some Lenovo PCs, where the Lenovo UEFI implementation insists on Windows8 being in the NVRAM else the PC won’t boot:

… this is all very worrying for a GNU/Linux user, where sometimes one can be left with the impression that hardware suppliers want to lock their hardware into a single company for the operating system provision (ie lock in to Microsoft and MS-Windows), and given that ‘operating system’ provider has what many claim to be a monopoly on the personal computer market (for desktop PCs and for laptops), does cause concern that this could be a symptom of the Microsoft desktop monopoly being abused (where the cause behind the symptom would need to be flushed out - ie is this because Microsoft mostly control the OEM market for desktop/laptop operating system provision ? (and by incentives/discounts can financially control what OS goes on a desktop/laptop as OEM ? ). ← but thats a Soap box topic … and I confess I’m more concerned about practicalities in working around this if it were to become more widespread.

I assume there are MS-Windows boot loaders that one could use to boot GNU/Linux for UEFI hardware (in such a case where a UEFI firmware insists on windows being the NVRAM selection) ?

I have spent some time looking for how to do that. That included asking in a forum frequented by Windows users.

I came up empty. I don’t think there is such a thing.

I have a 3rd generation i7 W530 Lenovo, using Win. 8 and VMWare so I can boot any Linux I like; its the adult compromise and allows me to get real work done. On the flipside, there are Linux only hardware brands out there, if Linux purity is important. I certainly do not think the Lenovo solution is a plot to destroy Linux - I think that it is a desire to control hardware/software quality similar to what Apple does. I rarely read the angst towards Apple that I read towards MS on Linux forums; why is Apple given a such an extraordinary pass?

IMHO Apple is not given such a pass.

Myself and other’s have been quietly critical of the Mac position wrt proprietary hardware locking in their OS - although recently with their adoption of a Unix backbone in their Mac OS/X they are more compatible wrt GNU/Linux than they ever have been in the past. …

Having typed NO free pass for Apple, I do note that GNU/Linux ‘cut its teeth’ and was birthed NOT on Apple compatible hardware, but GNU/Linux did ‘cut its teeth’ and was spread world wide on hardware in common with that used by Microsoft operating systems. That difference is significant, that difference is fundamental, and that difference is part of the crux of the concern that I for one have.

I think a lot of the view here wrt not ranting as much about Mac OS/X comes to the Mac going a specific OS route that traces back to Lisa and then various MacIntosh variants.

MS-Windows on the other hand traces back to a more common hardware platform with MS-DOS, DR-DOS (and other DOS variants), followed by OS-2 and Windows-3.0, 3.1, 3.11, and then Win95/ME/98/98SE/XP etc … pretty much pushing the competition off of a common hardware platform, where despite the Microsoft dominance there where there were other operating system attempts, where there were no law suits raised against the competitors [where Apple is famous for its anti-competitive law suits].

The orgins are different wrt the GNU/Linux-MS-Windows background, as opposed to the MacIntosh/OS-X background. But having typed that, many many of us do NOT give Mac with OS-X any extraordinary pass. So I would dispute the statement that I quote.

Are you saying there are Linux only hardware brands where the firmware checks for Linux in the hard drive OS (or in the NVRAM of a boot), and if that OS is not present then the PC will refuse to boot.

If you are not saying that, then IMHO you are comparing apples to oranges and missing the (my) point. The hopefully small number of Lenovo’s where I quoted the UEFI OS specific limitation specifically prohibt any OS other than MS-Windows. I do not know of any large manufacturer hardware/PC that does that wrt Linux, and I am very much from Missouri on a statement that I quoted that I do not believe. IMHO of course.

On Sun 02 Jun 2013 12:56:01 PM CDT, nrickert wrote:

oldcpu;2562012 Wrote:
> I assume there are MS-Windows boot loaders that one could use to boot
> GNU/Linux for UEFI hardware (in such a case where a UEFI firmware
> insists on windows being the NVRAM selection) ?

I have spent some time looking for how to do that. That included
asking in a forum frequented by Windows users.

I came up empty. I don’t think there is such a thing.

Hi
On this HP it’s UEFI is somewhat primitive, I can’t use efibootmgr
(well it won’t change the nvram), it insists on a BOOTX64.efi file, once
that’s sitting in /boot/efi/EFI/BOOT/ it will load whatever BOOTX64.efi
file is eg windows, grub2, in my case gummiboot.


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.11-desktop
up 1:29, 3 users, load average: 0.06, 0.16, 0.13
CPU AMD Athlon™ II P360@2.30GHz | GPU Mobility Radeon HD 4200

I don’t give Apple a pass. I don’t buy any of their stuff.

As far as I know, the Apple IIe was reasonable. I tried an early Mac (at work), and didn’t like it. It seemed to be giving me the old mushroom treatment (“keep them in the dark and feed them horse manure”).

I occasionally use a newer Mac (in the waiting room at an auto service department). And I don’t much like that either. I find those “hot corners” particularly annoying. (So why did Gnome 3 steal that bad idea?).

No, I do not give them a pass.

I think it was just a half-baked implementation of UEFI so that they could get something out-of-the-door quickly and meet the requirements that Microsoft laid down for Windows 8 OEM systems.

As owner of a Lenovo ThinkPad (non-UEFI), I came to a similar conclusion. For Lenovo or any other hardware supplier, their brand quality comes First, Second, and Third. Obviously they just can’t ship hardware only. That means they are obliged to work with any dominant OS supplier and its vendor support programmes, i.e. MS. The goal of the hardware manufacturer is to deliver a system where every feature of the hardware works OOTB. The simple truth, MS is geared up to enable that as an organization, whereas “Linux” isn’t, and MS will continue to exploit the dependence of the hardware manaufacturer.

why is Apple given a such an extraordinary pass?

Not by me. I tend to agree to this:

  • Running Microsoft software means that software is never yours, you just have a license
  • Using Apple hard- and software means not even your own hardware is yours, Apple tells you which data are allowed.

malcolmlewis wrote:

>

> On Sun 02 Jun 2013 12:56:01 PM CDT, nrickert wrote:
>
>
> oldcpu;2562012 Wrote:
>> I assume there are MS-Windows boot loaders that one could use to boot
>> GNU/Linux for UEFI hardware (in such a case where a UEFI firmware
>> insists on windows being the NVRAM selection) ?
>
> I have spent some time looking for how to do that. That included
> asking in a forum frequented by Windows users.
>
> I came up empty. I don’t think there is such a thing.
>
>
>
>

> Hi
> On this HP it’s UEFI is somewhat primitive, I can’t use efibootmgr
> (well it won’t change the nvram), it insists on a BOOTX64.efi file, once
> that’s sitting in /boot/efi/EFI/BOOT/ it will load whatever BOOTX64.efi
> file is eg windows, grub2, in my case gummiboot.

I’ve run into a variation on this HP I just bought: I got 2-3 installations
of 12.3 onto the disk and they booted just fine. Problem is, I had made
some screwups in what I did and clean, fresh installs were the simplest way
but after the first 2-3 installations it refused to install additional
copies. It failed writing the efi info during installation. From what I
can see, it made 2 entries into the EFI partition for what it labeled as
'opensuse" and “opensuse 12.3” then wouldn’t write anymore. My suspicion is
that if I can (eventually) get those out or eliminate the current file grub-
efi writes all will be well but until the installer for grub-efi is re-
written it looks like I’m stuck with using a second drive and the MBR boot
for whatever.

First, it looks like efi gives you 2 shots at installation which is really
bad with opeSUSE’s update schedule. Second, something in the secure boot
gets wrapped around the post with mixed EFI and MBR drives in a system -
with a second drive using MBR partitioning, the security check fails and I
can’t boot from the secure boot. I have to unplug the second drive after
which seure boot works again.

I’m planning to pester HP with this Monday. Hopefully, they can provide
answers. Otherwise, it looks like, at least on this HP version BIOS, you
quickly get locked out of upgrading on EFI machines.

On Sun 02 Jun 2013 10:30:46 PM CDT, Will Honea wrote:

malcolmlewis wrote:

> [QUOTE]
> On Sun 02 Jun 2013 12:56:01 PM CDT, nrickert wrote:
>
>
> oldcpu;2562012 Wrote:
>> I assume there are MS-Windows boot loaders that one could use to boot
>> GNU/Linux for UEFI hardware (in such a case where a UEFI firmware
>> insists on windows being the NVRAM selection) ?
>
> I have spent some time looking for how to do that. That included
> asking in a forum frequented by Windows users.
>
> I came up empty. I don’t think there is such a thing.
>
>
>
>

> Hi
> On this HP it’s UEFI is somewhat primitive, I can’t use efibootmgr
> (well it won’t change the nvram), it insists on a BOOTX64.efi file,
> once that’s sitting in /boot/efi/EFI/BOOT/ it will load whatever
> BOOTX64.efi file is eg windows, grub2, in my case gummiboot.

I’ve run into a variation on this HP I just bought: I got 2-3
installations of 12.3 onto the disk and they booted just fine. Problem
is, I had made some screwups in what I did and clean, fresh installs
were the simplest way but after the first 2-3 installations it refused
to install additional copies. It failed writing the efi info during
installation. From what I can see, it made 2 entries into the EFI
partition for what it labeled as 'opensuse" and “opensuse 12.3” then
wouldn’t write anymore. My suspicion is that if I can (eventually) get
those out or eliminate the current file grub- efi writes all will be
well but until the installer for grub-efi is re- written it looks like
I’m stuck with using a second drive and the MBR boot for whatever.

First, it looks like efi gives you 2 shots at installation which is
really bad with opeSUSE’s update schedule. Second, something in the
secure boot gets wrapped around the post with mixed EFI and MBR drives
in a system - with a second drive using MBR partitioning, the security
check fails and I can’t boot from the secure boot. I have to unplug
the second drive after which seure boot works again.

I’m planning to pester HP with this Monday. Hopefully, they can
provide answers. Otherwise, it looks like, at least on this HP version
BIOS, you quickly get locked out of upgrading on EFI machines.

[/QUOTE]
Hi
If secure boot is enabled and the efi files, kernel etc are not signed
properly, then it’s working as designed :wink:

Maybe one of the installs is not signed properly?

I don’t use grub2-efi or secure boot, so not really sure, but have had
no issues multi booting efi files.

Got rid of plymouth as well, my systemd boot times are 5.5-6 seconds
gummiboot to desktop…


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.11-desktop
up 1:06, 3 users, load average: 0.06, 0.09, 0.06
CPU AMD Athlon™ II P360@2.30GHz | GPU Mobility Radeon HD 4200

I assume this is with Secure boot disabled (assuming there is any secure boot control ? ) ?

I see this is a major limitation if it is not possible to clear UEFI entries via booting to the UEFI firmware. Is there no option within the UEFI firmware to clear selected NVRAM entries ?

I’ll be curious to read what you learn. I have seen funny things wrt HP in PCs, such as their implementation of an OEM versions of MS-Windows omitting a key driver (omitting an AHCI driver - where HP support’s answer was a recommendation for me to buy another copy of MS-Windows if I wanted the driver) , and hopefully what you noted wrt UEFI in the firmware can be addressed by something HP pass to you over the phone.

malcolmlewis wrote:

> Maybe one of the installs is not signed properly?
>
> I don’t use grub2-efi or secure boot, so not really sure, but have had
> no issues multi booting efi files.
>
> Got rid of plymouth as well, my systemd boot times are 5.5-6 seconds
> gummiboot to desktop…
>

Only way that happens is if the signing error is a lack of any efi info on
the second disk - even the failed installs on the first disk come up
smoothly in with a grub session.

I’ve also concluded that the machine I have is somewhat of an oddball so I’m
going to have to get with HP support to make sure I’m not going to muck up
the works. The specific model I have shipped originally with Win 7 and the
specific machine came with Win 8 so none of the manuals are exactly right,
especially on the restore pocess. Must have been a short run or something.
With any luck, maybe they will just ship me a copy of the Win 7 system
restore disks and BIOS.

oldcpu wrote:

> I assume this is with Secure boot disabled (assuming there is any
> secure boot control ? ) ?

I’m not sure. The setup routine offers to clear the secure keys but I have
no explanation as to what those are snd until I csan clarify it I ain’t
about to try it. There are 2 options: clear all keys and clear the HP keys
which what gives me pause. Should be an interesting talk with HP tomorrow.

> I see this is a major limitation if it is not possible to clear UEFI
> entries via booting to the UEFI firmware. Is there no option within the
> UEFI firmware to clear selected NVRAM entries ?
>

Not that can see - but I may be reading the above setup options wrong.
Documentation with this system andon the web site is definitely thin.

WRT earlier points concerning Lenovo and Linux, I would draw your attention to this page on a lenovo support site: Linux for Personal Systems

They are committed to providing information at least, and there’s probably a dialogue with those linux vendors. My ThinkPad model is listed there for Ubuntu, and is found on searching “Novell certified hardware”, albeit a slightly different config. The certification for SLED 11 SP1 even mentioned the unsupported standby and hibernation. Hibernation has worked many times with openSUSE releases. However, standby/sleep is almost certainly a BIOS issue (works ok on Win7), where Lenovo’s fix and update hasn’t worked out (at least they tried).

An interesting list.

Actually, if you look at that list for the Lenovo ThinkCentre M92p system noted in my first post, one can see what they did. When Lenovo were criticized (by Red Hat users) that only Windows would be accepted in the NVRAM, they modified to NVRAM to accept only Windows and Red Hat. I see now that a Ubuntu variant has also been added. If I had to guess, I would guess (speculate) that only those two GNU/Linux versions UEFI implementions (which identify the GNU/Linux distribution in the directory name) are allowed in the NVRAM and not others allowed. That IMHO is just as bad. ie Magia, generic debian, openSUSE, possibly even Fedora (if it uses a different directory name than Red Hat) etc … will not likely work because of that Lenovo NVRAM implementation.

My suspicion is the Think Station S30 is likely the same, but in that case only Red Hat and Windows allowed. IMHO that is pretty much just as bad as allowing only MS-Windows. I dislike an approach where one GNU/Linux distro (with MS-Windows) should be allowed exclusive use of a PC’s hardware.

My looking further … with respect, that list is NOT an indication of compatibility (even if it is called “Linux certification” ) . I note the Lenovo X220 (not the tablet verison) has no GNU/Linux distro’s listed, yet it is known to work with many GNU/Linux distros. Yet no ‘certification’ done. My suspicion is the support from Lenovo to maintain that list (and follow up with more certifications) is adhoc and minimal.

On Sun, 02 Jun 2013 13:26:01 +0000, RichardET wrote:

> I rarely
> read the angst towards Apple that I read towards MS on Linux forums;
> why is Apple given a such an extraordinary pass?

Apple is too small a share of the market compared to MS. I’d say it’s
about proportional.

I don’t give Apple a pass; I don’t buy Apple equipment. I have a 10-year-
old iPod that I run Rockbox on, and my wife has an iPod nano that she
doesn’t use any more.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I think those are the keys used for verifying secure-boot signatures.

My Dell box has an option to clear all keys. It does not have an option to clear Dell keys, and perhaps there aren’t any of those.

The way that it is supposed to work, is – if there are no keys, then the first system you secure-boot gets a free pass and is able to install its keys in the key data. Anything else will have to be signed by that first key.