Don’t panic – you can still secure boot Linux on new ThinkPads

There seems to be a whole lot of half-informed “information” floating around about Lenovo and/or MS locking out Linux on new ThinkPads. And as usual,  the torch and pitchfork crowd railing against the conspiracy.

Nope. You can still boot a signed distro, but it takes one more step. The ability to boot something that uses MS 3rd party certs has been split out in the secure boot options. Enter BIOS, switch that toggle, and Bob’s your uncle. Confirmed on my ThinkPad X1 Yoga Gen 7 and multiple other ThinkPads by my mates.  Whew.


X1 Yoga Gen 7 BIOS 3rd Party Certs – image updated

This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Don’t panic – you can still secure boot Linux on new ThinkPads

  1. roboknave says:

    Yeah, how do you get that “Allow Microsoft 3rd Party UEFI CA” to show up? I have the exact same Thinkpad BIOS screen and there IS NOT an option to “Allow Microsoft 3rd Party UEFI CA” anywhere in the Secure Boot section of the BIOS.

    UEFI BIOS Version: N2WET37W (1.27)
    UEFI BIOS Date: 2022-07-04
    Machine Type Model: 20U9005LUS

    • The Geez says:

      That is an X1 Carbon Gen 8. It predates that particular feature, so toggling it isn’t necessary. If you are having secure boot problems it’s caused by something else.

      • roboknave says:

        Thanks for the reply. I wasn’t sure because I can see the CAs it appears to have in the key management area. In the Authorized Sig database it DOES seem to have the UEFI CA 2011. I don’t know how I can compare it to others, but presumably its got the same signature as the one I need for the Shim. Yet, the device just blows past the USB right to the internal drive. Doesn’t seem like there is any way to get errors or anything. Anyway, thanks again. Looks like I might end up skinning a different cat.

        • The Geez says:

          Trying to boot Linux or something else? Might be easier to dig into this over at the Lenovo forums:

          I’m happy to work on it here if you like (FWIW – don’t mean to assume I can fix it…), but with the fully moderated comment setup here it’s a little clunky.

          • roboknave says:

            I finally figured it out. The keys were “custom”… So I reset them back to factory defaults. Presumably, someone wanted to make sure Linux would NOT boot. Once I did that, it boots fine now. Was kind of afraid to “reset” the keys because I didn’t want to somehow brick the laptop. It is Linux. It seems to work fine.

Leave a Reply

Your email address will not be published. Required fields are marked *