Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkPad NotebooksThinkPad: T400 / T500 and newer T series Laptops
All Forum Topics
Options

5 Posts

01-24-2021

Germany

8 Signins

25 Page Views

  • Posts: 5
  • Registered: ‎01-24-2021
  • Location: Germany
  • Views: 25
  • Message 1 of 13

Own secure boot keys on T14

2021-03-06, 17:13 PM

I recently bricked my brand new Thinkpad T14 AMD Gen1 (twice in a row) by replacing the secure boot keys in firmware with my own.

It was the same problem as described here:

https://forums.lenovo.com/t5/ThinkPad-P-and-W-Series-Mobile/Thinkpad-P1-Gen2-stuck-in-Bootloop-quot-Configuration-changed/td-p/4579508

or here:

https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/BIOS-BUG-X1C7-quot-Configuration-changed-restart-system-quot-loop-after-enrolled-my-own-secureboot-key/m-p/4607484

I realised it was a firmware issue too late, only after my second try.

This was happening with an older version of the firmware 1.05 and the repair requires replacement of the mainboard.

 

After the last repair the notebook came with the newest firmware 1.30.

Has this critical issue been fixed in this new version of the firmware?

Can I finally set up my computer or will this just trigger another warranty repair?

Reply
Options

13223 Posts

11-30-2015

Philippines

7451 Signins

756210 Page Views

  • Posts: 13223
  • Registered: ‎11-30-2015
  • Location: Philippines
  • Views: 756210
  • Message 2 of 13

Re:Own secure boot keys on T14

2021-03-07, 4:11 AM

Hello grepe,

 

Greetings.

 

Using a custom firmware is not really encouraged instead of those offered with the official support channel.

 

On occasion, this may not be serviced within warranty and can be regarded as User induced damage where customer ends up paying for both parts and labor.

 

Those official firmware and drivers are tested and certified for each model variant and is expected to work as intended.

 

Regards,

spidey101 



Did someone help you today? Press the thumbs-up icon below to thank them.!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.


Using Browser Search to find your answers in Lenovo and Moto Community

Reply
Options

5 Posts

01-24-2021

Germany

8 Signins

25 Page Views

  • Posts: 5
  • Registered: ‎01-24-2021
  • Location: Germany
  • Views: 25
  • Message 3 of 13

Re:Own secure boot keys on T14

2021-03-07, 7:47 AM

Hello spidey,

I to clarify: I have no intention of using custom firmware.

The key used to verify system that is being booted is a setting in the official stock firmware that comes with the device.

Changing this setting with the older version of firmware breaks the device.

I was just wondering if the problem has been fixed in the newer version that came pre-installed on the device from the official Lenovo service.

Reply
Options

33 Posts

12-12-2013

Poland

74 Signins

927 Page Views

  • Posts: 33
  • Registered: ‎12-12-2013
  • Location: Poland
  • Views: 927
  • Message 4 of 13

Re:Own secure boot keys on T14

2021-03-08, 12:28 PM

I recently enrolled my own secureboot keys on my T14 AMD Gen1 on firmware 1.30, without any issues. I used the key enrollment menu in the UEFI.

I had no idea it could go so horribly wrong. Maybe I just got lucky, as this is just one sample. Would be nice to have confirmation from Lenovo whether or not this was fixed.

Reply
Options

5 Posts

01-24-2021

Germany

8 Signins

25 Page Views

  • Posts: 5
  • Registered: ‎01-24-2021
  • Location: Germany
  • Views: 25
  • Message 5 of 13

Re:Own secure boot keys on T14

2021-03-11, 21:08 PM

Thank you for sharing, I also feel uncomfortable to just do it without official confirmation.

Maybe the key point was to do it directly from the firmware menu rather than using the KeyTool?

Reply
Options

4 Posts

04-24-2021

United States of America

5 Signins

10 Page Views

  • Posts: 4
  • Registered: ‎04-24-2021
  • Location: United States of America
  • Views: 10
  • Message 6 of 13

Re:Own secure boot keys on T14

2021-04-24, 2:43 AM

I was wondering if you ever got your own secure boot keys installed?

 

I just bricked my brand new X1 Yoga 6th Gen within 4 hours of having the device. Extremely sad that this sort of bug exists that a simple software change can render the entire computer useless.

 

I seemed to follow the same steps that you did to cause the issue by enrolling the keys with Keytool. It also booted once after but never again.

 

<UNVERIFIED> -- I saw a "warning" on the Arch wiki that you need to do the PK.auth file last. After the KEK.auth and DB.auth. Since the PK locks the enrolment process. -- </UNVERIFIED>

 

I am returning my computer and getting a new one. I am now extremely worried about bricking another one so I am wondering if I should just leave secure boot disabled, try to install the keys in a different order, or try to install them with the UEFI tool itself (I don't remember seeing this option).

 

I have never had an issue on any other brand and have already gone through two ThinkPads in less than a month which is not confidence inspiring.

 

Just wanted to see if you ever figured anything out.

 

Thanks!

Reply
Options

474 Posts

09-04-2019

United States of America

352 Signins

5133 Page Views

  • Posts: 474
  • Registered: ‎09-04-2019
  • Location: United States of America
  • Views: 5133
  • Message 7 of 13

Re:Own secure boot keys on T14

2021-04-24, 16:16 PM

What do you mean your own secure boot key? Like the Yubico keys? Is that what you mean???

Reply
Options

4 Posts

04-24-2021

United States of America

5 Signins

10 Page Views

  • Posts: 4
  • Registered: ‎04-24-2021
  • Location: United States of America
  • Views: 10
  • Message 8 of 13

Re:Own secure boot keys on T14

2021-04-24, 16:27 PM

No not Yubico or anything in userland.

 

If you are familiar with how secure boot works, it verifies the cryptographic signatures of the kernel and drivers.

 

On Windows everything works since Microsoft and the 3rd party vendors sign all of the drivers and kernel. But on Linux you have to sign everything yourself, or disable secure boot.

 

So the issue described in this post is a problem where the machine goes into a boot loop when you try to add a self signed certificate to the BIOS's secure boot keystore.

 

The option to add certificates is a standard operation supported by default on under the BIOS -> Secure Boot settings, but will cause a boot loop if you add your own key.

 

I am trying to figure out when I get my replacement PC if I should try again to install my own keys and risk another boot loop (bricking) or just forget about the entire thing and disable it.

Reply
Options

33 Posts

12-12-2013

Poland

74 Signins

927 Page Views

  • Posts: 33
  • Registered: ‎12-12-2013
  • Location: Poland
  • Views: 927
  • Message 9 of 13

Re:Own secure boot keys on T14

2021-05-13, 9:42 AM

Hi, sorry for the late reply.

 

I followed the archwiki exactly, includng enrolling the PK last. Additionally, I added Microsoft's certificates in order to dual boot Windows, I wonder if that's got anything to do with why my machine works fine.

Reply
Options

10 Posts

08-02-2021

Germany

9 Signins

60 Page Views

  • Posts: 10
  • Registered: ‎08-02-2021
  • Location: Germany
  • Views: 60
  • Message 10 of 13

Re:Own secure boot keys on T14

2021-08-03, 11:48 AM

+1 bricked T14s (AMD) after using KeyTool

 

Why on earth should this be customer induced damage?

All we try to do is using UEFI mechanisms that deploy our own secure boot keys.

 

Please @spidey101 resolve and clarify this.

 

There needs to be a warning to customers about this bug ASAP and also a fix in the UEFI.

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms