IBM gave me Thinkpad 560X notebook, about year ago (thanx, it is nice beast). I discovered few misfeatures, and few bugs, some of them are related to security. Here it goes: (I got a letter from one person at IBM, explaining things.)

• Thinkpad will boot from floppy, even if it has boot-up sequence set to hard drive first and hard disk is bootable. Floppy has to have IBM bootsector for this to work, for example personality setting boot disk distributed by IBM has it. I've successfully created Linux boot disk, which can be used on Thinkpad with floppy booting disabled. If someone relied on boot up sequence for security (I believe many people do), they are screwed. I got a letter from IBM explaining it is feature. As they think it would not benefit ordinary users, they did not document it. This can help you boot otherwise unbootable computer - supervisor password is not a problem for this to work.
• Thinkpad will allow people to change personality information, even without supervisor password. Thinkpad has "personality" feature which allows people to mark their computer with their name, address, and picture. I use penguin ;-). Unfortunately, this info is changeable even without supervisor password. (And BTW floppy which allows you to change it has "magic" format.) This might be more severe than it seems, because, IMHO, setting personality information means flashing bios. I was told personality info is stored in separate page of flash memory, so main BIOS should be safe.
• Easy setup - HDD tests. Easy setup is just plain ugly. It looks like a perfectly safe thing. Well, it will overwrite part of your hard drive without even asking for confirmation. It seems like hard drives come preformated to slightly lower capacity then they really have. The rest is test zone, used for easy setup's rw tests. But if you happen to re-fdisk your drive, it is pretty easy to put normal partition into this zone (this zone is not documented anywhere). This one killed 2000 of my inodes 4 times. Last two times was random person coming around my computer, and launching tests because machine asked them to do so. I'm told this area is not accessible using normal int 13h calls. Unfortunately, linux does not use this calls so it did not notice.
• Thinkpad Forgeting Passwords. I tried to set supervisor password on my notebook. I set it successfully, but notebook does not seem to recognize it. It is simple. If you enter 8-chars-long password, thinkpad simply will not recognize it. You have to enter only first 7-chars in order to log in. Great feature, knowing that IBM actually charges money for unlocking your notebook. This was partly my fault. In user's manual, it is written password is 7 characters max. What confused me was that when enterring password, additional characters echoed as *'s happily.
• Neomagic close/reopen corrupting screen. I do not know if this is bug or not, but if I try to move screen to top left corner using following lines from SVGATextMode (they are in newest SVGATextMode distribution), which is required to get 100x37 text mode working (there are no docs about Neomagic, so this is guesswork. Anyway, I'm going to complain, just because there are not docs).

  +    case CS_NEOMAGIC:
  +       Outb_GR_CTL( 0x09, 0x26 );
  +       break;
  
  +     case CS_NEOMAGIC:
  +        if (OFLG_ISSET(OPT_TOPLEFT)) 
  +	{
  +	  Outb_GR_CTL( 0x25, 0 );
  +	  Outb_GR_CTL( 0x2f, 0 );
  +	  Outb_GR_CTL( 0x30, 0 );
  +	  Outb_GR_CTL( 0x82, 0 );
  +	}
  +	break;
  

  ...then this setting is lost after closing and re-opening the lid.
• Thinkpad not powering off. After certain kind of crashes (run MS-Windows for a while :-), Thinkpad will not power off even when holding its power button. You have to turn it over, take a pencil, and press well-hidden reset button (blue, I was told about it by IBM technician, I would not find it otherwise). Pretty annoying. (I have now reproducible way to make thinkpad crash like this ;-)

Ok, above are things that I know. But there are things I do not know (do not even ask me, I don't know; but if you find out some answer, let me know!): I did not even open my thinkpad... yet ;-).

• How to remove supervisor password -- IBM does it by removing all parts from board and essentialy creating new system board. Of course there's other, "easier" way how to do this, but IBM does it hard way and even people at IBM do not know how to do it easily. Clearing your CMOS probably will not help. I do not even know where password is stored: is it CMOS or some part of flash? Unknown. And before you ask, "easier" way of course is possible: for example pulling out flash ROM and flashing in modified bios which does not ask for passwords would work, but a) it involves soldering of SMD chips b) you'd have to find out what modification to do to BIOS. [Ok, if you want to work on computer and not to remove password, try to see if you can make your ThinkPad touch floppy for more than initial seek test. If you can, stuff in personality disk and it might boot. play with personality disk a bit and it will happily boot linux.]
• Who can remove your supervisor password -- well, I know few people able to solder SMD chips, but I would not let them play with my notebook, and they are generally too far away from you.
• How to remove harddisk password
• How to remove power-on password -- I was told that it is relatively easy to do, but I know no details... Well, now I'm told the details ;-).

     * How to remove power-on password -- I was told that it is relatively
       easy to do, but I know no details.
  
  You can remove the power-on password by shorting the 2 pins left of the
  power connector (used for an extra battery) in the floppy/cdrom bay.
  You're supposed to use a jumper, but I didn't have any that fit so I just
  jammed a piece of wire in it. Replace the floppy/cdrom, power on the
  system until POST is done, turn it off, remove the jumper and you should
  be good to go as long as there is no supervisor or hard drive password.
  
                          (thanks to Adam Slattery )
  

FAQ (added 2001/08/23)

*Common mistake #1: if BIOS can change/read password,
	I can do it, too.

Not true: think trapdoor. Register "TRAP" is set to zero during reset.
Once "TRAP" is set, it can not be reset using software and password data
are not accessible. BIOS sets the "TRAP" bit during bootup.

I am not sure thinkpad uses a "TRAP" register, but it very well might for its
supervisor password.

* How do I reset supervisor password?

OTOH, password is probably stored in a serial EEPROM. You can try to wire the data pin to the ground, and try booting. This involves opening your computer, and if some esstial info
is also stored in that PROM, or if the passwords are stored encrypted in the PROM, it will not work. Oh, you might also kill your machine. I don't know if it will work for thinkpads, I never tried it. Ask shaddack.

It is told that, IBM does really replace mainboards in order to get rid of password...
[Soldering on mainboard may cause hidden damage and IBM apparently
does  not want to risk that.]

Oops, it might be even more tricky than that. It seems that thinkpad stores password for its hdd, somewhere:

(from Paul Mullen:)
On the Thinkpad's I have seen setting the Supervisor password also sets the hard drive
password. The computer appears to work normally. But if you remove the hard drive
and place it in another computer it won't work - it simply appears as a controller failure
(unless you run IBM Drive Fitness Test or place it in a computer like Thinkpad which
understands hard disk passwords). I have come accross this several times recently
when a notebook computer failed and the owner asked me to backup data from the hard
drive. The most recent case was actually someone who worked for IBM here! The only
way I had to get to the data was to get the Thinkpad working again! Once working
there was no password prompt (unless I set a user password) but the hard disk worked.
In any other computer, including other Thinkpad's, the drive was password locked.  So
obviously the Thinkpad bios had stored the hard disk password somewhere and was
passing it to the hard drive on startup.

(from Vojta:)
It should be possible to clear 560X by shorting two test pads on the mainboard during boot. Untested.