Forgot your password?
typodupeerror
Operating Systems Linux

Lenovo UEFI Bug Only Likes Windows and RHEL 162

Posted by Soulskill
from the you-didn't-think-this-through dept.
New submitter Nagilum23 writes "It looks like Lenovo only knows of Windows and RHEL where their Thinkcentre M92p desktop is concerned. While investigating UEFI boot issues, Matthew Garrett found the PC's firmware actually checks the descriptive string for the operating system, and will prevent unlisted operating systems from booting. Garrett writes, 'Every UEFI boot entry has a descriptive string. This is used by the firmware when it's presenting a menu to users - instead of "Hard drive 0" and "USB drive 3", the firmware can list "Windows Boot Manager" and "Fedora Linux". There's no reason at all for the firmware to be parsing these strings. ... there is a function that compares the descriptive string against "Windows Boot Manager" and appears to return an error if it doesn't match. What's stranger is that it also checks for "Red Hat Enterprise Linux" and lets that one work as well. ... This is, obviously, bizarre. A vendor appears to have actually written additional code to check whether an OS claims to be Windows before it'll let it boot. Someone then presumably tested booting RHEL on it and discovered that it didn't work. Rather than take out that check, they then addded another check to let RHEL boot as well." Note that this isn't a SecureBoot issue. Lenovo is aware of the problem and looking into it.
This discussion has been archived. No new comments can be posted.

Lenovo UEFI Bug Only Likes Windows and RHEL

Comments Filter:
  • by Anonymous Coward

    ... my guess would be VERY. No problem here for haxors. For the rest of us, just don't buy this crap.

  • Bug? (Score:5, Insightful)

    by Anonymous Coward on Friday November 16, 2012 @10:36AM (#42000995)

    You keep using that word. I don't think it means what you think it means.

    It's not a bug if it's by design, and this is clearly intended behavior.

    • Re: (Score:2, Insightful)

      It's funny, because isn't this exactly the list of companies that have bought into SecureBoot? Maybe it's just a beta implementation. Guess it's not so secure if it can be spoofed this easily though.
      • Re:Bug? (Score:5, Interesting)

        by halltk1983 (855209) <halltk1983@yahoo.com> on Friday November 16, 2012 @11:12AM (#42001321) Homepage Journal
        Packard Bell used to do this back in 95. I had a system that specifically would not boot anything but Windows. I spent months trying to get it to run linux. It would not boot anything but windows off the drive. Found out years later that there was a check it did for what was booting.
        • by theCoder (23772)

          Just for the record, my family had a Packard Bell that ran Mandrake Linux extremely reliably for many years. Though from listening to other people complain about Packard Bells online, I guess we got the only good one they ever made :)

        • by laffer1 (701823)

          Packard Bell released a bios update for my system (406CD) that i bought in 1995 to improve compatibility with other operating systems. At different times, I had WIndows 3.11 + DOS 6.22, IBM PC-DOS 7, OS/2 Warp 3 & 4, Redhat 5, Windows 95, Windows NT 4, and BeOS 5 running on it. It was the most compatible computer I've ever owned. The sound card, video card and modem worked with everything.

    • Re:Bug? (Score:5, Interesting)

      by Anonymous Coward on Friday November 16, 2012 @11:05AM (#42001257)

      You're making assumptions about what the intended behavior was. I think it unlikely that they intended to make the machine unbootable for anything other than Windows and RHEL. The bug (yes, bug) probably began with a hack to work around some windows issue that broke booting for anything else. Then, because they maybe only test with windows and rhel, some moron "fixed" the bug by adding a check for RHEL.

    • by gmuslera (3436)
      Is a meatware bug, not a software one
    • It's a bug in the developer. His intentions were a mistake and cause a segfault in the open source community.

    • by Pinhedd (1661735)

      Never attribute to malice that which can adequately be attributed to stupidity.

      Corollary: Any sufficiently shocking display of stupidity is indistinguishable from malice

  • As a user of Lenovo desktops and laptops for the last 20 years, I haven't had a single problem like this before. I reckon it's a cock up or an outsourcing fail (they probably outsource their firmware). As for the fix, that's just being stupid.
    • by ArhcAngel (247594) on Friday November 16, 2012 @12:02PM (#42001933)
      As a user of ThinkPads for nearly as long I have a TP I cannot install a miniPCI wireless upgrade into without hacking my system because it is not an approved part for my specific ThinkPad. [thinkwiki.org] Even a miniPCI from another ThinkPad won't always work.
      • by X0563511 (793323) on Friday November 16, 2012 @01:07PM (#42002763) Homepage Journal

        There is a reason for this:

        The mini-PCI card is just the radio. The antenna is in the rest of the laptop (usually around the screen). The FCC only certifies them for certain radio+antenna pairings, and so they cannot get certification if they don't put in some mechanism to stop you from using uncertified pairings.

        It's stupid yes, but the idea behind the policy is to allow the sale of high-power radios while keeping it within exposure limits. (the reason being is the same power going into an omnidirectional antenna safely can not only exceed but blow-out-of-the-water the exposure limits if put into a directional antenna. think bulb vs laser)

        • by sjames (1099)

          It seems unlikely. I can easily buy a high powered mini-PCI card bare and on most systems, pair it with any antenna. My setup may or may not comply with regulations, but it's on me to make sure it does or seek an appropriate license (in practice, many people don't bother and as long as it doesn't create an interference problem, they'll never hear about it).

          In practice, the built-in laptop antennae are on the low end and certainly are not strongly directional (though they often have unintentional dead areas)

          • by X0563511 (793323)

            My point was there is some enforced limitation as a means of butt-covering, rather than just being jerks. Lenovo (or Dell or whoever) doesn't want to risk being dragged into anything (since the antenna is theirs) so they just lock you out.

            You're right about the directionality, but there's another bit to consider: how much energy can that antenna support? If it can only support 200mw and you try pushing 1w into it, it could very well pose a fire hazard.

            Still, really they should just bugger off and leave it t

            • by sjames (1099)

              You are clutching at straws and I have no idea why. The most energy the wire could ever radiate is the amount pumped in to it. Even if the case was made of guncotton, an 800mw transmitter couldn't heat it enough to cause a fire.

              No other vendor does anything stupid like that.

              • by X0563511 (793323)

                Sure, but the transmitter certainly could smoke and burn. I've seen it happen. (I am a ham, I should mention).

                I'm not trying to support Lenovo, I am not grasping at straws. You are misunderstanding my point. (which is there are valid, if construed, reasons for locking you out from this... they are not doing it out of spite or just to be difficult)

                • by sjames (1099)

                  I am simply not buying what you're selling, ham or not. We're talking 800mW, not 800 Watts here (and at that, 800mW cards are rare. 100 and 50 mW is common). That is 0.8 Watts MAX. I have no doubt that bad things can happen to ham gear at hundreds or thousands of watts if you use the wrong antenna, but this is low powered ISM stuff here. Nothing bad happens if the antenna is disconnected entirely. Nothing bad happens if you connect/dis-connect the antenna while the transmitter is on. Nothing bad happens if

                  • by X0563511 (793323)

                    Eh, your points are fair. We're arguing on how we got there, not that we got there. Let's leave it at that?

        • by oursland (1898514)
          Do you have actual evidence of this or are you making up a rationalization?
          • by X0563511 (793323)

            Sure, all of the studying I needed to do to get my own license. That's how these sorts of things work. I may be wrong, but I think you need to provide proof of that to me, not the other way around.

    • by jandrese (485)
      Most flavors of BSD can't be used on certain Lenovo laptops because their BIOS sees the BSD filesystem as a recovery system and damages it.
  • Well... (Score:2, Informative)

    by Anonymous Coward

    Never ascribe to malice what can be explained by Microsoft getting desperate.

    • Re:Well... (Score:5, Interesting)

      by ByOhTek (1181381) on Friday November 16, 2012 @10:45AM (#42001073) Journal

      Given that RHEL is probably their biggest competator that move could be considered a counter to - I would say you need to put down your anti-ms tinfoil hat, your brain is overheating.

      It's probably a support engineer related decision - "We don't want to have to deal with questions/complaints regarding unsupported operating systems that have gotten installed... so we'll prevent them from being installed."

        Neither malice or ms-induced maice, but rather just an idiotic solution to an annoying issue that they probably have to periodically deal with.

      Glad I don't buy Lenovo. I tend to prefer FreeBSD and Hackintosh'ed as my non MS OS.

      • Re: (Score:2, Interesting)

        by segedunum (883035)

        Given that RHEL is probably their biggest competator that move could be considered a counter to - I would say you need to put down your anti-ms tinfoil hat, your brain is overheating.

        Ahhh, yes, black is white, there are no black helicopters and all that jazz........ It's firmly in that bracket.

        It's probably a support engineer related decision - "We don't want to have to deal with questions/complaints regarding unsupported operating systems that have gotten installed... so we'll prevent them from being installed."

        Errrrr, no. For one thing this actually takes effort which hardware manufacturers are not prone to actually putting in, for another I didn't think they give a crap about supporting any Linux operating systems and conveniently Red Hat is the only distribution Microsoft recognises for the purposes of their 'Safeboot' keys.

        I tend to prefer FreeBSD and Hackintosh'ed as my non MS OS.

        Nice of you to let us know that after telling everyone their paranoid lunatics

        • by psmears (629712)

          Errrrr, no. For one thing this actually takes effort which hardware manufacturers are not prone to actually putting in, for another I didn't think they give a crap about supporting any Linux operating systems

          Actually Lenovo are often pretty good [lenovo.com] about supporting Linux - e.g. they provide information and often drivers and support. I don't think the M92p is a model for which they do this though.

        • by ByOhTek (1181381)

          I use whatever the hell works. But when someone prevents me from using something that would work, just because it's not the most popular alternative, I tend to get pissed.

          I know they don't care about supporting any Linux operating systems, that's what I said. Having worked with nutjob support engineers/management before, the change described in TFS is something I could see them requesting to their bosses, to make support easier (if they can't install it, they can't ask about run time issues), and their boss

  • are you serious? (Score:5, Insightful)

    by v1 (525388) on Friday November 16, 2012 @10:38AM (#42001021) Homepage Journal

    I don't see how you can consider this a "bug"? You don't just "accidentally test a string for a specific value". This is clearly intentional operation, not a bug.

    • by rsmith-mac (639075) on Friday November 16, 2012 @10:51AM (#42001119)

      Bug is probably the wrong term here. I think "hilariously bad design decision" is a more apt description. Clearly someone didn't think this all the way through.

      • by gl4ss (559668)

        sure they did think it.

        the testing checklist included booting on rhel and windows and that's what it boots on - and presumably testing that some os without a signature doesn't boot. never mind it actually being secure or anything, because surely nobody would lie in their descriptive string right?

        can't believe the engineers thought that they would actually ship this though..

      • by blueg3 (192743)

        Bug is the right term here. Terrible design decisions and intentional but stupid implementation decisions are also bugs.

      • Re:are you serious? (Score:4, Interesting)

        by bill_mcgonigle (4333) * on Friday November 16, 2012 @02:32PM (#42003537) Homepage Journal

        Clearly someone didn't think this all the way through.

        or possibly: somebody merged a diff early. Microsoft gets control of UEFI, RHAT buys a license, and on Day-Zero all new Windows OEM machines ship with UEFI string checkers that only boot Windows or RHEL (without string 'hacks' - possible legal claims over fraud, +- DMCA interoperability claims).

        Nah, could never happen.

    • by geekoid (135745)

      If it got through testing by accident, then it's a type of bug.

      • by X0563511 (793323)

        or if outright failure wasn't the intended action. Could be they intended to print a warning or something instead. I find this a bit much to swallow but there's a chance of it.

  • by Attila Dimedici (1036002) on Friday November 16, 2012 @10:40AM (#42001031)
    That's a great idea. Someone who wrote a virus to boot before the OS would never think to tell UEFI that it was the Windows Boot Manager. /s
    • Re:That's just great (Score:5, Informative)

      by ledow (319597) on Friday November 16, 2012 @10:48AM (#42001103) Homepage

      It's nothing to do with Secure Boot, just dodgy BIOS-writing again.

      From TFS: "There's no reason at all for the firmware to be parsing these strings."

      This is basically on a par with Windows 3.1 looking for MS-DOS signatures and refusing to boot otherwise (though that had an illegally anticompetitive reason), with BIOS's like the one I just forced an update from my supplier for (by threatening to return a significant number of laptops) which consisted of a BIOS checking for a certain value on disk being 00 before it would boot from that disk (a value which corresponds to 00 only on unencrypted Windows NTFS-formatted disks) and refusing to boot Truecrypt'd disks or anything with a non-NTFS primary partition (very common on certain HP and Dell models, that particular "bug"), and the like of which I've seen DOZENS of times in my own purchases because of:

      STUPID BIOS WRITERS.

      There is no reason to ever test that string, and certainly none to use it as a conditional to boot. It has nothing to do with any advertised UEFI feature whatsoever. The fact that the UEFI code even bothers to interrogate that string for anything other than displaying it to the user tells you that the manufacturer doesn't care about, and doesn't test, anything but Windows to the point they will hard-core their machines to only run Windows. They don't care about UEFI at all, or secure booting, or anything - just that it works when they run Windows.

      Makes you kinda wonder who would ultimately be behind putting such an unnecessary and counter-productive decision into a machine's BIOS really.

      • Re: (Score:2, Insightful)

        I agree that the BIOS writers were stupid for doing this. I also agree that there was no good reason for the firmware to be parsing these strings, although I have to disagree with the summary. There are many reasons for the firmware to be parsing these strings. They are all bad reasons from the perspective of anybody but Microsoft (and even there, probably not once someone thinks the whole thing through), nevertheless there are many reasons to do this. I am quite sure that at least one person intended to cl
      • Re:That's just great (Score:5, Interesting)

        by tibit (1762298) on Friday November 16, 2012 @11:23AM (#42001431)

        Most likely: the firmware is outsourced, and the outsources implements it to the letter, without applying any thinking.

      • by mlts (1038732) *

        I was looking at a heavily discounted HP box on sale, and the one review of the model on Amazon stated exactly this -- it only booted Windows and nothing else.

        If PC makers sell boxes that only boot Windows, they need to both put a warning that functionality has been deliberately limited/crippled, and give the customer a steep discount for shipping equipment that deliberately only functions in a limited context.

        This isn't a knock against MS... if a PC is limited to any OS, that is a deliberate de-functioning

      • by Hatta (162192) on Friday November 16, 2012 @12:29PM (#42002319) Journal

        The fact that the UEFI code even bothers to interrogate that string for anything other than displaying it to the user tells you that the manufacturer doesn't care about, and doesn't test, anything but Windows to the point they will hard-core their machines to only run Windows. They don't care about UEFI at all, or secure booting, or anything - just that it works when they run Windows.

        Makes you kinda wonder who would ultimately be behind putting such an unnecessary and counter-productive decision into a machine's BIOS really.

        And people don't believe me when I tell them that OEMs will chomp at the bit to lock people out of other OSs with secure boot when MS finally flips the switch. They already care about nothing but Windows.

    • That's a great idea. Someone who wrote a virus to boot before the OS would never think to tell UEFI that it was the Windows Boot Manager.

      Well, the UEFI boot images are cryptographically signed, so they'd need to do more than just copy a string; That sounds more like a BIOS writer making a shorrtcut instead of implementing the full EFI spec -- Search for a string instead of implement /FAT (12 | (16 | 32))/ ... OR maybe just add an exceptional case to already flawed code to get RHEL working. However:

      Secure Boot's a GREAT IDEA, Why, someone who found a flaw in your OS would NEVER think to just re-exploit it after it boots up instead of mess wi

  • by Anonymous Coward on Friday November 16, 2012 @10:44AM (#42001063)

    I used to like IBM and Lenovo computers. But his offends me.

    • by ByOhTek (1181381)

      Since I've no mod points, and couldn't mod this topic anyway... Seconded.

      Manufacturers shouldn't be able to tell the users of their hardware what software can be used on their hardware. At most, they should say "there are known issues of this software potentially physical damage." And if I got that, I'd probably reply with "The 80s/early 90s called, they want their computer problems back."

      Shrug, plenty of other good hardware vendors out there. Though for a desktop, I've never understood not building your ow

      • Manufacturers shouldn't be able to tell the users of their hardware what software can be used on their hardware.

        I agree with you that they shouldn't be able to. But in the real world, manufacturers of computing devices for home use have been getting away with walled gardening since 1986 when the NES and Atari 7800 came out.

        • by ByOhTek (1181381)

          The only argument I can come up with that, is that consoles aren't sold with the intent of being general purpose computers, and I don't think anybody really thinks of that as their intent, only us geeks find the idea of getting them to fulfill that purpose, to be amusing and fun.

          • by Benanov (583592)

            Sony attempted to do this with their Playstation 2 (and the Playstation 3) in order to work around taxes, not because they actually wanted it general purpose.

          • by tepples (727027)

            only us geeks find the idea of getting them to fulfill that purpose, to be amusing and fun.

            That and anyone who wants to develop a video game but happens not to live near established video game studios.

  • Lenovo limits your OS choice. Obviously there is a reason...and the likely one is that the OS choices they steer you towards are the ones that have the handy back doors installed for remote monitoring. Isn't that what you would do if you needed to monitor users?

  • Perhaps Lenovo wishes to find out how much of a consumer backlash they'll get when they bring in Secure Boot? If only a tiny fraction of users notice this OS-locker, then they can be reasonably sure that Secure Boot will be accepted with equal ease.
    • by Alex Belits (437) * on Friday November 16, 2012 @10:54AM (#42001141) Homepage

      Then all Linux distributions, plus EFF, should sue Lenovo, if for no other reason then just to show how much everyone cares. I would contribute to that if necessary.

    • by jonbryce (703250)

      How many of them will notice when it refuses the "Windows 9" boot string, or someone in their home country notices that it refuses a string with Chinese characters in it.

    • by EdZ (755139)
      If they tried this by locking Secure Boot, they'd get an angry letter from Microsoft. It's a requirement for Windows 8 certification that the end user can add their own keys to Secure Boot.
  • by markhahn (122033) on Friday November 16, 2012 @10:47AM (#42001095)

    if it must frob for strings, let's all just agree to put "grub" in there.

  • Looking into it my arse. You have to write code to check this, and there is no good reason at all to check it.
  • by bored (40072) on Friday November 16, 2012 @10:54AM (#42001147)

    UEFI is pretty much a case of fixing what isn't broken, yet with any software project its bound to have bugs in the first few iterations.

    And, oh boy does it. name brand motherboards that brick when flashed, systems that don't power off correctly, systems that take minutes to post, the usual issues with incorrect ACPI table entries, the list goes on.

    Basically, its replacing one fairly stable code base, that the motherboard vendors often got wrong, with a completely new untested one that is 10x as complicated. You do the math.

    Linus had another rant about it recently called "The abomination called EFI".

    BTW: Gigabyte has a number of traditional motherboards that can boot GPT partitions, effectively removing the _ONE_ useful new feature in EFI.

    • by Cassini2 (956052) on Friday November 16, 2012 @11:30AM (#42001523)
    • by Microlith (54737)

      UEFI is pretty much a case of fixing what isn't broken

      Only because they decided to create something entirely new instead of switching to OpenFirmware. The 16-bit limitations on the BIOS are ridiculous in this day and age and moving to a new interface that ditches the ridiculous constraints imposed by the 8086 more than 30 years ago is a good thing.

      name brand motherboards that brick when flashed, systems that don't power off correctly, systems that take minutes to post, the usual issues with incorrect ACPI

      • by bored (40072)

        he 16-bit limitations on the BIOS are ridiculous in this day and age and moving to a new interface that ditches the ridiculous constraints imposed by the 8086 more than 30 years ago is a good thing.

        No one really gives a crap what the bios runs in, you site OpenFirmware which is another example of old crufty stuff. I should know as I worked professionally on it for a while. 16bit-x86 is a better firmware environment than forth. Let me site one of many examples of why openfirmware sucks worse than nearly any

      • by yuhong (1378501)

        Yea, EFI was originally designed for IA-64 which is completely different from x86.

    • by hpa (7948)
      GPT vs MBR is irrelevant to BIOS, unless, of course, the BIOS tries to parse the MBR and draw conclusions from it. So of course many of them do, and get it wrong. However, it is one of those things that "it works unless actively broken."
      • by evilviper (135110)

        GPT vs MBR is irrelevant to BIOS, [...] "it works unless actively broken."

        WTF are you talking about? How does the BIOS hand-off to the boot loader (eg. GRUB) on the active partition, if the BIOS doesn't even know what a partition is?

        Yes, you can stick a loader in the MBR and the BIOS will be able to load it, but there's so little space available there that you've gotta do neat tricks to get enough smarts in that little slice of disk to be able to read partitions and files, to be able to find the next stage

  • TPM is the worst (Score:5, Interesting)

    by TubeSteak (669689) on Friday November 16, 2012 @11:01AM (#42001221) Journal

    Because I'm lazy, I'll just copy and paste a comment I made in another thread about TPM

    Ever since TPM was created, we're always just a few bits and bytes away from having it leveraged against us, by them.
    And by "us" I mean "the computer users."
    By "them" I mean "the hardware manufacturers and software/media companies."

    Example: The newest motherboards don't *need* the ability to disable trusted boot. Heck, it'd have been easier to not include it!
    We're more or less at the mercy of a small number of companies and their design decisions.

    I recently found out, while looking at new laptops, that Lenovo & HP like to put whitelists of wireless cards into the BIOS.
    Someone hacked the BIOS and other cards will work, but for whatever reason, Lenovo/HP doesn't want you to use a storebought card.

    • by bored (40072)

      I've caught HP x86 servers doing the same thing with video cards. I wanted to run a PCIe video board not sold by HP. It simply failed, the BIOS refused to init it, and removed its parent bridge from the device list passed to the OS.

  • by Andrewkov (140579) on Friday November 16, 2012 @11:09AM (#42001289)
    As despicable as this is, on the other hand, it sort of implies that RHEL is certified to work with this machine.
  • Hell, I just bought a new VAIO laptop and upgraded from Windows 8 to Windows 8 Pro and I couldn't get it to boot in UEFI mode!!! Thank goodness for the Legacy mode or I would have been SOL.
  • by kallisti (20737) <rmidthun@yahoo.com> on Friday November 16, 2012 @01:24PM (#42002971) Homepage

    As seen here,
    http://www.csis.pace.edu/~bergin/patterns/ppoop.html [pace.edu]

    This whole issue could have been avoided if the developers didn't use the "Hacker Solution", but instead... well, read the paper.

    • by evilviper (135110)

      http://www.csis.pace.edu/~bergin/patterns/ppoop.html

      This whole issue could have been avoided if the developers didn't use the "Hacker Solution", but instead... well, read the paper.

      Though it hardly affects me, I have to highly disagree with the assertions of the paper... I'd say the "Hacker Solution" was the most proper, with the exception of using case instead of nested ifs, and pattern matching (eg. "Win*" instead of multiple full strings hard-coded). Don't underestimate the maintainability of code that

  • by ajlitt (19055)

    Always fighting for the users.

  • Can PLoP Boot Manager work around this?

    http://www.plop.at/en/bootmanager/index.html [www.plop.at]

  • That's what you get when you issue contracts to the lowest bidder. I'm personally aware of several instances just like this. One of my favorites was when a former employer elected to contract out the work for a database migration (same data, different table layout, with extra fields populated with default data). After several weeks of status updates indicating all was on track, the contractor demoed and delivered the finished product. Supposed due to contract conditions, engineering wasn't given access to

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Working...