Just purchased Lenovo ThinkPad L16 Gen 1 AMD certified on Ubuntu 22.04 LTS. I am not thrilled at the idea I may have purchased a machine that MS demands in all new machines running its OS, TPM 2.0. A chip specifically required for the co-pilot & Bit-locker. Did I inadvertently buy a machine with that installed?
Do Lenovo laptops purchased with preinstalled Ubuntu have the TPM 2.0 chip
- Thread starter J_Temple
- Start date
Did you have a particular concern about the TPM chip in the machine? The specifications of that Thinkpad do indicate that the chip is there if you wish to take advantage of it. On the other hand, if it happens to be enabled, but you wish to have it disabled, then there are no issues to doing that in linux.
On installation here on a Lenovo Thinkpad T15 Gen2, the TPM 2.0 chip was disabled in the BIOS/UEFI.
One can check to see the current status of the TPM chip as follows:
Code:
[~] $ cat /sys/class/tpm/tpm0/device/power/runtime_enabled
disabledApart from disabling in the BIOS/UEFI one can alternatively disable the chip by blacklisting its modules, or by using a kernel option that disables the loading of a module. Using a blacklist or kernel option obviates the need to enter the BIOS/UEFI which may be more convenient in some situations.
Anyway, perhaps expand on the concerns you have.
I certainly want it disabled. If it is disabled by default I will leave it disabled. I want nothing to do with AI and that is the point of that chip as I understand it. Once the machine arrives, maybe by the 30th of March, I will check the status. I hope it will not interfere with installing any new Linux distros. Thanks for the prompt reply!
I wouldn't worry about it...if you're going to install Linux as Linux doesn't need it.
Just another way microslop (as they call it now) tries to control it's users...just like secure boot. To run Linux just disable secure boot and you're good to go.
Someone I know had a brand new Tower built by a computer shop last year (2025). They were given two instructions...disable secure boot and don't install windoze.
When the computer was ready...I created an image of my System Mint Cinnamon 22.1 and put it on the new SSD...which booted straight up...the only thing I did was run the Driver Manager because the Graphics Card was new.
Just another way microslop (as they call it now) tries to control it's users...just like secure boot. To run Linux just disable secure boot and you're good to go.
Someone I know had a brand new Tower built by a computer shop last year (2025). They were given two instructions...disable secure boot and don't install windoze.
When the computer was ready...I created an image of my System Mint Cinnamon 22.1 and put it on the new SSD...which booted straight up...the only thing I did was run the Driver Manager because the Graphics Card was new.
MzQ1NjExN2
Well-Known Member
What did you use to create an ISO of your system? Was the hard drive you installed it on the same size? Bigger? Smaller?
Last edited:
TPM doesnt affect Linux, but it can affect some playback tools.
TPM and media playback: This is where it gets more nuanced
This is the more interesting concern. TPM itself doesn't directly block playback, but it's part of a broader DRM ecosystem that can:
Widevine (Netflix, etc.): Google's Widevine L1 (high-res, HDR) requires a verified hardware trust environment — typically TPM + Secure Boot + vendor-certified firmware. Most Linux installs get Widevine L3 at best, meaning 480p or 720p caps on protected content. TPM being enabled doesn't fix this; it's about whether the full chain is certified.
HDCP: If you're playing back to an HDCP-protected display chain, TPM is tangentially involved in some implementations but usually isn't the limiting factor on Linux.
Local Blu-ray / protected disc: This is almost entirely broken on Linux regardless of TPM state, due to AACS/BD+ not having licensed Linux players. TPM presence changes nothing there.
Distro coverage:
All major distros — RHEL/Fedora, Debian/Ubuntu, Arch, openSUSE — ship kernel TPM 2.0 support and tpm2-tools. Some (like Fedora) have been moving toward TPM-backed LUKS unlocking as a smoother out-of-box experience. None of them treat an enabled TPM as hostile.
TPM and media playback: This is where it gets more nuanced
This is the more interesting concern. TPM itself doesn't directly block playback, but it's part of a broader DRM ecosystem that can:
Widevine (Netflix, etc.): Google's Widevine L1 (high-res, HDR) requires a verified hardware trust environment — typically TPM + Secure Boot + vendor-certified firmware. Most Linux installs get Widevine L3 at best, meaning 480p or 720p caps on protected content. TPM being enabled doesn't fix this; it's about whether the full chain is certified.
HDCP: If you're playing back to an HDCP-protected display chain, TPM is tangentially involved in some implementations but usually isn't the limiting factor on Linux.
Local Blu-ray / protected disc: This is almost entirely broken on Linux regardless of TPM state, due to AACS/BD+ not having licensed Linux players. TPM presence changes nothing there.
Distro coverage:
All major distros — RHEL/Fedora, Debian/Ubuntu, Arch, openSUSE — ship kernel TPM 2.0 support and tpm2-tools. Some (like Fedora) have been moving toward TPM-backed LUKS unlocking as a smoother out-of-box experience. None of them treat an enabled TPM as hostile.
As I understand it, TPM is only indirectly used by "A.I" anyway. TPM 2.0 is primarily a 'security' chip.....used for storing Secure Boot certificates, security keys for BitLocker, M$ account details.....stuff like that. I believe it's why you can set-up a Windows install (via M$ a/c, natch!), then you can uninstall and remove Windows entirely.
You can change your mind and re-install Windows again, perhaps years later, on that same machine.....and Windows immediately recognises your install AND it's registered & up-and-running straight away, because your M$ a/c credentials are retrieved from the TPM 2.0 chip and used by Windows automatically.
As far as I know, every machine built over the last decade has had a TPM chip, because it was also a requirement for Windows 10 (though I'm not sure about this; haven't run the Beast of Redmond for a very long time.....I only know what I read).
I think that's how it works, anyway. More than happy to be corrected if I'm wrong, but I don't think I'm so far out.
Mike.
You can change your mind and re-install Windows again, perhaps years later, on that same machine.....and Windows immediately recognises your install AND it's registered & up-and-running straight away, because your M$ a/c credentials are retrieved from the TPM 2.0 chip and used by Windows automatically.
As far as I know, every machine built over the last decade has had a TPM chip, because it was also a requirement for Windows 10 (though I'm not sure about this; haven't run the Beast of Redmond for a very long time.....I only know what I read).
I think that's how it works, anyway. More than happy to be corrected if I'm wrong, but I don't think I'm so far out.
Mike.
Last edited:
[Claude Ai]
A TPM (Trusted Platform Module) chip is essentially a dedicated security co-processor soldered onto (or firmware-embedded in) the motherboard. Here's what it actually does:
Core function: secure key storage and cryptographic operations
The TPM stores cryptographic keys, certificates, and hashes in tamper-resistant hardware. The critical distinction is that private keys never leave the chip — crypto operations happen inside it. This makes it fundamentally different from software-based key stores.
What it's used for in practice:
On Linux specifically, tpm2-tools gives you direct access, and tools like clevis + tang or systemd-cryptenroll let you bind LUKS volumes to TPM PCR values — so a properly configured machine auto-unlocks at boot but resists offline attacks. That's where it gets genuinely useful in a sysadmin context rather than just being a Windows requirement checkbox.
The Windows 11 mandate brought it back into public conversation, but TPM has real security value when properly integrated into your boot and encryption strategy.
A TPM (Trusted Platform Module) chip is essentially a dedicated security co-processor soldered onto (or firmware-embedded in) the motherboard. Here's what it actually does:
Core function: secure key storage and cryptographic operations
The TPM stores cryptographic keys, certificates, and hashes in tamper-resistant hardware. The critical distinction is that private keys never leave the chip — crypto operations happen inside it. This makes it fundamentally different from software-based key stores.
What it's used for in practice:
- Full disk encryption (BitLocker/LUKS) — The TPM holds the volume master key and will only release it if the boot chain measurements match expected values. If someone pulls your drive and installs it elsewhere, the TPM isn't there to unlock it.
- Measured boot / boot integrity — The TPM records SHA hashes of each boot stage (firmware → bootloader → kernel → initrd) into Platform Configuration Registers (PCRs). This creates a tamper-evident log of what actually ran at boot. UEFI Secure Boot works alongside this.
- Remote attestation — A remote system can ask your TPM to cryptographically prove what software is running. This is used in enterprise zero-trust and cloud environments to verify a machine's integrity before granting access.
- Credential and certificate protection — SSH keys, TLS certs, and smartcard emulation can be TPM-backed, meaning the key material is hardware-bound.
- fTPM vs discrete TPM — Modern AMD and Intel platforms often implement firmware TPM (fTPM) inside the CPU itself rather than a separate chip, which is functionally equivalent for most purposes.
On Linux specifically, tpm2-tools gives you direct access, and tools like clevis + tang or systemd-cryptenroll let you bind LUKS volumes to TPM PCR values — so a properly configured machine auto-unlocks at boot but resists offline attacks. That's where it gets genuinely useful in a sysadmin context rather than just being a Windows requirement checkbox.
The Windows 11 mandate brought it back into public conversation, but TPM has real security value when properly integrated into your boot and encryption strategy.
TPM has also been around, in one form or another, for more than two decades.
Just because it's an MSFT requirement doesn't mean it's bad. It's a tool. Using Windows also requires a CPU.
Just because it's an MSFT requirement doesn't mean it's bad. It's a tool. Using Windows also requires a CPU.
I can second/third/x the others. You don't need to worry, a TPM has no business with A.I. If it is mentioned in relation to Copilot, that can only be for Windows authentication related activities. It is indeed pre-requisite for Bitlocker, that's why MS demanded all W11 customers buy new hardware.
(edit: I reworded this paragraph, because I got the distinction to SB wrong at first)
It is similar to Secure Boot: If you keep it enabled for installing Linux, some distros will default to activate their Secure Boot kernel (which often is a separately signed package). If you disable it, they simply won't. If you use the laptop roaming, a default Secure Boot is not a bad feature per se (a pre-boot and UEFI password more important, arguably). At the same time, you can later easier enable Secure Boot, than disabling it, but all is possible with Linux. And the same applies for the TPM. If you enable it upon installing Linux, the kernel will offer it at runtime. If you then use some features, for example with luks encryption or systemd's password manager (try
If you are unsure if and how you want to utilise the TPM effectively, there is no downside for your regular Linux usage and you can indeed activate the TPM anytime later, once you decide. What happens is the kernel recognising it on next boot and loading appropriate modules.
If you instead choose a distro and trust its default settings at install to be the best for you, you may also leave the TPM active - and the distro you install may use it or offer optional features enabled by it.
(edit: I reworded this paragraph, because I got the distinction to SB wrong at first)
It is similar to Secure Boot: If you keep it enabled for installing Linux, some distros will default to activate their Secure Boot kernel (which often is a separately signed package). If you disable it, they simply won't. If you use the laptop roaming, a default Secure Boot is not a bad feature per se (a pre-boot and UEFI password more important, arguably). At the same time, you can later easier enable Secure Boot, than disabling it, but all is possible with Linux. And the same applies for the TPM. If you enable it upon installing Linux, the kernel will offer it at runtime. If you then use some features, for example with luks encryption or systemd's password manager (try
systemd-analyze has-tpm2, it lists which part of your system supports a TPM at current), they may start binding secrets to the TPM. This is in theory mimicking what Bitlocker does. It has pros and cons, but nothing of it relates to AI. Rather the TPM is a secure storage chip that enables measured processing.If you are unsure if and how you want to utilise the TPM effectively, there is no downside for your regular Linux usage and you can indeed activate the TPM anytime later, once you decide. What happens is the kernel recognising it on next boot and loading appropriate modules.
If you instead choose a distro and trust its default settings at install to be the best for you, you may also leave the TPM active - and the distro you install may use it or offer optional features enabled by it.
Last edited:
I didn't create an ISO...I created an image which is a file...it was an SSD the image was taken from and put on another SSD of the same size.
I don't use HDDs for my Distro for a number of reasons.
To create an image of my System I use Foxclone...https://foxclone.org and Rescuezilla...https://rescuezilla.com.
MzQ1NjExN2
Well-Known Member
Ah ok. I thought maybe you had a method that could install on any size SSD.
MzQ1NjExN2
Well-Known Member
Ah yes I tried to expand and use up the unused space but I couldn't get it to work. I usually am able to get through most problems but this was one that I got stuck on. Ah well I'm waiting for Mint 23 to come out anyway before I attempt to try again.
I just canceled the new Think Pad. I have two good towers that I love and I am finding that every generation of computers seem to give less for more money and then you can buy what your not getting as peripherals. I have decided to refurbish my current computers: A Dell Inspiron 3668 and Acer Aspire TC-780. My son, who is a real tech wizard is coming for a visit in May and told me not to buy, change or do anything until he gets here . The last issues I had were trying to install a new, fresh in box VISTA OS. It was a genuine, still sealed copy so pros need not fear it. I needed help getting the right drivers & called several PC repair shops not one could help me but did demand to know why I wanted it! In the end, as so often seems to happen in my world, it took me a little while to find all the old "updates" and drivers required but I did the job myself. (I'm getting too paranoid about the tech industry in general) I've trusted my son since he started writing code at 7 & building his own machines at 11.
Come across this before, the drivers you need are not Windows drivers Perse but motherboard drivers, find the make and model of your motherboard then search for the driver package [[ motherboard drivers for xxxxxxx0000000] or [legacy motherboard drivers for xxxxxxx000000] download to CD/DVD/Pendrive [whichever your using] to install
Going back to the original question, I cannot think of any new motherboards that do not include TMP, in most cases its a separate chip, sometimes its built in software but in both cases can usually be disabled if you don't want it
Vista install was at least 5 years ago. I keep it turned off and offline. I only arranged that PC for a load of software I had purchased and now would only be available with a subscription. My other 2 machines are fully Linux Mint. I just recently down loaded 22.3 and will be doing a clean install on both machines. You'd be surprised at how difficult it can be to find legacy drivers AND in my case, I needed the OS updates for the Vista system. In any case, I finally got everything I needed and all the software is running just fine.
These are old links but may still work, note if you discs are not vista sp1, then you must install sp1 before sp2
vista sp1 https://download.microsoft.com/down...re_wave1_ServicePackInstaller-FRMCSP1_CD1.iso
vista sp2 https://archive.org/download/windows-vista-service-pack-2/Windows Vista Service Pack 2.iso
if you want to sift and individually install
all vista updates [not pre packed] https://www.catalog.update.microsoft.com/Search.aspx?q=Vista Service Pack 2
vista sp1 https://download.microsoft.com/down...re_wave1_ServicePackInstaller-FRMCSP1_CD1.iso
vista sp2 https://archive.org/download/windows-vista-service-pack-2/Windows Vista Service Pack 2.iso
if you want to sift and individually install
all vista updates [not pre packed] https://www.catalog.update.microsoft.com/Search.aspx?q=Vista Service Pack 2
I'm not sure that I can agree with this statement. Modern computers are insanely inexpensive for what you're getting.
(This excludes the current RAM bubble, which seems to be sorting itself out.)
Even then, we can use RAM as an example. I was once excited when RAM prices reached the $1.00 per MB price point. Yup, a 128 MB stick of RAM was $128—and that made me happy.
Heck, we don't even have to buy a graphics card, a sound card, or even a math coprocessor. We can buy two of those things, but they're very inexpensive for what they are (when compared with older devices).
You don't have to go back very far to when people paid hundreds of thousands of dollars for less computing power than you have in the average cell phone. My first CD-ROM was $500, which I got on sale. I waited for it because I refused to pay slightly more than $1000 for it. (Adjusted for inflation, that $500 would be about $1200 today.)
My goal isn't to argue. My goal is to help you be more optimistic. As far as powerful computers go, it's amazing what you can buy.
Latest posts
-
Another one: CIFSwitch: a non-universal Linux local root vulnerability- Latest: beanburrito
-
-
-