According to a new report by Phoronix, some of Lenovo's new AMD Ryzen 6000 laptops paired with Microsoft's Pluton security chip will not boot any other operating system besides Windows by default. Linux security expert Matthew Garrett initially discovered the issue in his blog post when he tried booting Linux from a USB thumb drive on his Z13 ThinkPad.
The main issue with Lenovo's security measure is that it provides no additional security benefits by locking out other operating systems. In addition, these new laptops, by default, do not trust bootloaders signed with Microsoft 3rd party UEFI CA keys to maintain higher security, which Garrett is useless.
Garrett points out that the primary security measure that is beneficial in Lenovo's laptops is related to the TPM and the security data it holds. When a new non-Windows OS is loaded onto the system which supports Secure Boot and TPM, keys from the previous OS get wiped away due to the 3rd party CA, making them useless for attackers to grab off the system. Because of this, there is no reason to lock out non-Windows operating systems since any critical data is wiped and replaced.
Thankfully this issue won't be a serious problem for most users since most of the world does run Windows operating systems. But this could be a very problematic issue for the few diehards who use Linux. There's a chance this operating system lock can be changed within the BIOS, but this has not been confirmed.
To clarify, this issue is specific to Lenovo and does not incorporate a flaw in Microsoft's new Pluton security processor. Pluton is a new co-processor offering additional security to a system's TPM or Trusted Platform Module by emulating a TPM module virtually on the CPU. Without Pluton, attackers can physically hijack the TPM's communication bus to grab sensitive keys and information.