Most computers provide a way to reset the firmware to factory defaults, which should include no firmware password (although Secure Boot will probably still be active). Check your manual or call Lenovo to find out how to do this.
As to Secure Boot, as already stated, it should be disable-able once the password issue is dealt with. Furthermore, several distributions work with it enabled. Ubuntu should, but that seems problematic based on online reports I've seen. Fedora seems better on that score. OpenSUSE also works with Secure Boot, but I haven't been following it as closely, so I'm not sure how well it works. In theory, you can get any distribution to boot with Secure Boot enabled, as described on my Web page on the topic. The trouble is that you'll need to either modify the installation medium to boot via shim or PreLoader, or temporarily disable Secure Boot to do the installation and then install shim or PreLoader. Installing shim or PreLoader manually can be a bit of a hassle. Thus, for ease of use, it's best to either stick with a distribution that supports Secure Boot or disable the feature entirely.
Secre Boot