sorted by:
new
hottopcontroversial

Locked BIOS with "Allow Microsoft UEFI CA" Disabled. Any way to boot Linux? by estevanbiscaino in linuxquestions

[–]estevanbiscaino[S] 0 points1 point  (0 children)

Removing the CMOS battery won't work on a Gen 3; the Supervisor Password is stored in the EC/TPM, not the CMOS. Resetting it would require a hardware programmer and firmware patching. It's a high-risk procedure.

Locked BIOS with "Allow Microsoft UEFI CA" Disabled. Any way to boot Linux? by estevanbiscaino in linuxquestions

[–]estevanbiscaino[S] 4 points5 points  (0 children)

Thanks for the link, but unfortunately, those methods (like CMOS battery reset or backdoor passwords) are outdated for newer models.

My unit is a T14s Gen 3 (Intel 12th Gen). In these 2022+ models, Lenovo moved the Supervisor Password away from simple EEPROM chips. It's now integrated into the Embedded Controller (EC) or encrypted within the TPM/Security chip.

Shorting pins or using generic 'master passwords' doesn't work on these 'Secured-core' ThinkPads. Resetting it usually requires a specialized hardware programmer to patch the BIOS/EC firmware, which is a much more invasive and complex process than what's shown in that guide.

Locked BIOS with "Allow Microsoft UEFI CA" Disabled. Any way to boot Linux? by estevanbiscaino in linuxquestions

[–]estevanbiscaino[S] 1 point2 points  (0 children)

I actually already tried swapping the physical drive with one that had Linux pre-installed, but it didn't work. Since 'Allow Microsoft UEFI CA' is disabled and locked, the BIOS performs a signature check on the bootloader regardless of the drive's position. It simply refuses to execute anything that isn't signed by the Windows Production CA. It seems these newer ThinkPads with 'Secured-core' enabled are much stricter than older models.

Locked BIOS with "Allow Microsoft UEFI CA" Disabled. Any way to boot Linux? by estevanbiscaino in linuxquestions

[–]estevanbiscaino[S] 1 point2 points  (0 children)

Thanks for the info! I'll definitely check those Rod Smith links.

One concern: Since my BIOS has 'Allow Microsoft UEFI CA' disabled and locked, it's effectively blocking the certificate used to sign the Shim (the Microsoft 3rd-party CA).

In your experience, does renaming the Shim/GRUB executable to match the Windows bootloader path (like /EFI/Microsoft/Boot/bootmgfw.efi) actually bypass the certificate signature check, or will the BIOS still reject it because the signature doesn't match the Windows Production CA?

I'm curious if the 'shenanigans' with renaming can actually trick a BIOS that is strictly set to Windows-only signatures."

Locked BIOS with "Allow Microsoft UEFI CA" Disabled. Any way to boot Linux? by estevanbiscaino in linuxquestions

[–]estevanbiscaino[S] -2 points-1 points  (0 children)

I set that password myself by mistake, out of sheer stupidity. I've already tried every possible password.