Lenovo has a blog post on supply chain security:
[…]Have you ever considered whether the PC’s delivered to your business contain the same components installed by the manufacturer?[…]
http://blog.lenovo.com/en/blog/securing-the-supply-chain/
Lenovo: please publish hashes for your online firmware images!