But doesn't that defeat the purpose? If a trusted Chinese certificate authority issues some certificate on google.com for China to perform MITM attack, and Chrome ignores anything signed by a valid root certificate, it will never report this attack. I thought the point of certificate pinning is precisely that only a single authority can sign a certificate for a website.
No, the purpose of pinning is to stop a compromised CA from issuing their own www.google.com cert.
If someone installs a CA, Chrome will trust it. There's not much way around this: if someone has the capability to install a CA on your computer, they'd have the capability to modify chrome.exe to force acceptance of it.
Also, sometimes MITM'ing is desired. I'm doing it right now with Firefox and BurpSuite.
Chrome could display a notice reminding users that it's an executable that can be compromised by other programs. But those other programs could also delete that notice.
This situation is quite common in enterprise deployments [1], where HTTPS traffic is MITM-proxied through a central server to e.g. check for malicious content or other filtering.
If Chrome were to block unknown roots for pinned sites, these sites would become inaccessible because the MITM proxy is still active. That's certainly not desirable in a controlled enterprise environment, but the same would occur when blocking this 'Lenovo root'.
More precisely, Chrome doesn't enforce certificate pinning if the certificate is signed by an unknown root (like one installed by your system administrator, or apparently your laptop manufacturer).
