return to table of content

What is an SBAT and why does everyone suddenly care

userbinator
35 replies
17h57m

Obviously people might screw up, but the spec included a way to revoke any signed components that turned out not to be trustworthy

"trustworthy" according to who? Remember that dystopia does not appear spontaneously, but steadily advances little-by-little.

What's the summary? Microsoft (understandably) didn't want it to be possible to attack Windows by using a vulnerable version of grub that could be tricked into executing arbitrary code and then introduce a bootkit into the Windows kernel during boot. Microsoft did this by pushing a Windows Update that updated the SBAT variable to indicate that known-vulnerable versions of grub shouldn't be allowed to boot on those systems.

Who is Microsoft to decide what others do on their machines? Should they have the right to police and censor software they have no control of? In the spirit of Linus Torvalds: Microsoft, fuck you!

We are seeing the scenario Stallman alluded to over 2 decades ago slowly become a reality. He wasn't alone either.

https://www.gnu.org/philosophy/right-to-read.en.html

https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Things like TPM and "secure" boot were never envisioned for the interests of the user. The fact that it incidentally protects against 3rd party attacks just happened to be a good marketing point.

"Those who give up freedom for security deserve neither."

kmeisthax
22 replies
16h20m

The alternative dystopia is one where the NSA can grab your laptop, rip out the storage, write some code into the boot chain, put the storage back, leave, and you have no evidence to know who did that.

Signed code fixes this by requiring someone actually put their name to the code. If it's not someone I recognize, I don't boot. And yes, the NSA could theoretically compromise a signing key with a $5 wrench. But then they blow their cover. Signatures create a paper trail that makes plausible deniability vaporize.

dmbche
8 replies
15h12m

I mean can you actually protect against the NSA? After Stuxnet, I fully trust that nation/state actors can infect whatever they put their mind to - I'd rather at least have control over my machine

bigiain
6 replies
14h3m

If your adversary is a nation state, you've already lost.

Which gives me another opportunity to quote from my favourite Usenix paper:

"In the real world, threat models are much simpler (see Figure 1). Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. "

Figure 1:

Threat: Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club

Solution: Strong passwords

Threat: Organized criminals breaking into your email account and sending spam using your identity

Solution: Strong passwords + common sense (don’t click on unsolicited herbal Viagra ads that result in keyloggers and sorrow)

Threat: The Mossad doing Mossad things with your email account

Solution: • Magical amulets? • Fake your own death, move into a submarine? • YOU’RE STILL GONNA BE MOSSAD’ED UPON

-- https://www.usenix.org/system/files/1401_08-12_mickens.pdf

Grimburger
3 replies
11h45m

If your adversary is a nation state, you've already lost.

Is that why it took 10 years to find Bin Laden, the most wanted man on Earth?

Get the feeling intel agencies aren't as omnipotent or competent as they want people to believe.

jtriangle
1 replies
11h36m

Most of that time he was in a series of caves located in a fairly apathetic nuclear power's boarders.

He was also trained and equipped by the CIA.

So, if you're willing to live in caves where they can't easily search for you after being trained and equipped by the best of the best, sure, you might live slightly longer.

Doesn't seem like a tenable circumstance to me though.

jazzyjackson
0 replies
8h10m

to be fair, he did lose eventually, and it took the CIA impersonating a vaccine distribution program to take blood samples to find him, which is pretty fucking omnipotent if you ask me, although sowing distrust in vaccine distribution did have some unintended consequences...

fsflover
0 replies
2h50m

If your adversary is a nation state, you've already lost.

Did you hear about Snowden?

beng-nl
0 replies
9h51m

Nitpick, this is a column written by James Mickens, not a published paper.

It is funny, true, and wise, though.

computerfriend
0 replies
14h20m

You can at least make it very expensive.

vuln
4 replies
15h19m

I don’t know what country you live in but it’s impossible to decrease your attack surface when targeted by a Nation State Actor. Even more impossible if you live in the country in which the Nation State Actor controls through a plethora of agencies and relationships with corporations.

computerfriend
3 replies
14h20m

It is usually possible to decrease your attack surface.

bigiain
2 replies
13h53m

Unplug all your computing devices, put them in a safe, embed the safe in concrete, drop it all in the sea.

fsflover
0 replies
2h49m

Just try Qubes OS with Heads.

bboygravity
0 replies
3h36m

Yeah that'll work for everybody who never ever touched any cloud service and who's friends and family never ever touched any cloud service (nobody in the real world).

jtriangle
1 replies
11h41m

There's no state actor that any of that would protect against. You, and everyone else, is already compromised at a level so deep there is no hope of digging out if that is your adversary.

What these technologies protect is market share, nothing more.

jvanderbot
0 replies
3h37m

Strong assertions with no justifications.

Targeted attacks against individuals or small groups from state actors are basically impossible to protect against. Widespread compromises of all operating systems at the boot level should be fought against.

I don't really think malice explains Grub being limited b/c of Microsoft's software at the boot level. There's conflicting objectives at play, and that will inevitably produce, well, conflicts.

itohihiyt
1 replies
12h22m

Pretty sure the NSA as a government agency could make a US company do what you're suggesting for them.

jazzyjackson
0 replies
8h14m

Whether the government was allowed to compel a company to write and sign code was going to be determined in the "Apple-FBI encryption dispute" but the FBI withdrew the day before the hearing since they had found another way to crack the phone without apple's help. I wonder if this will ever be re-litigated or the government just learned its easier to pay someone to write an exploit than it is to pay a company to write a backdoor.

https://www.eff.org/deeplinks/2016/03/deep-dive-why-forcing-...

https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...

Two4
1 replies
7h55m

Kompromat on a staff engineer is far more effective, sustainable and silent than a five-dollar-wrench attack

red-iron-pine
0 replies
5h4m

kompromat? pffff money talks. somewhere there is someone who will take a bribe, and 300k to completely compromise every toolchain in the world is a pittance.

userbinator
0 replies
15h30m

The game is already over for those who worry about the NSA spying on them.

Using Windows in its default form means Microsoft already has a full backdoor into your machine, authorised by none other than MS itself.

cesarb
0 replies
5h16m

the NSA can grab your laptop

If the NSA grabbed your laptop, you've already lost. For instance, they could replace all input and output devices (keyboard, mouse, screen, audio, etc) with ones that not only log everything you do, but also allow them to remotely control your machine as if they were physically present. They could then pretend the laptop was opened (by falsifying the hall effect sensor which detects the lid state), power it on (by forging a press of the power button), log into your account (by replaying the password they logged earlier), and do anything they wanted, as if they were you. They could even use the camera to detect when you looked away for a second while logged into the laptop, and quickly do some input, bypassing any extra validation (like fingerprints or a smartcard) logging into your user account might have required. No need to modify or even touch the boot chain and storage.

palisade
5 replies
16h59m

I guess in their defense the same attack can be used against any other OS so they're unintentionally protecting Linux as well, since they stated this was supposed to be a Windows-only system change. You can disable secure boot if you don't want to be secure. And, there is a way to disable the SBAT policy and keep secure boot if you want that, which is also insecure. Disable Secure Boot, login, sudo mokutil --set-sbat-policy delete, reboot again, re-enable secure boot. But, then you're susceptible to the attack.

I think understandably, everyone is concerned because it felt like an affront by MS against Linux. But, I don't think that was their thought process at all.

thwarted
3 replies
16h19m

I think understandably, everyone is concerned because it felt like an affront by MS against Linux. But, I don't think that was their thought process at all.

Given Microsoft's history, it's hard to really be sure. It's been a quarter century since The Halloween Documents and Microsoft definitely gives the air of contributing to the open source ecosystem today, but giants like having a big moat to defend, and old habits die hard. And Microsoft definitely has a reputation, even if, technically, undeserved.

palisade
2 replies
16h0m

There was nothing to be gained in this except ill will. Hanlon's Razor suggests they were in a hurry to fix a security issue and didn't dot their i's on checking for dual boot systems.

literalAardvark
0 replies
11h17m

It's a trolley problem, and it's not in Microsoft's locus of control to keep dual boot systems dual booting. So they don't try.

They have never, ever supported anything other than the Microsoft bootloader[s], and if you work around that for instance it's pretty trivial to blow up your data by hibernating Windows and booting into a different partition. Resuming hibernation loads the old MFT onto the modified partition and you pretty much lose everything.

account42
0 replies
9h47m

If you apply Hanlon's Razor to known malicious actors then the only one being stupid is you. In fact, it's a really bad heuristic for any corporation.

salawat
0 replies
1h8m

But, I don't think that was their thought process at all.

Intent, being squishy and debatable matters far less than the outcome.

I can say that I never intended X, but in the end, X still happened. That it happened unintentionally assuages exactly no injury from X having happened.

sedatk
3 replies
15h39m

Who is Microsoft to decide what others do on their machines?

That would be an amazing rant had it only ended with "Sent from my iPhone".

Since the Blaster worm incident two decades ago, we're in a new era where security at scale becomes the forefront responsibility of the companies developing the product. That includes writing more secure code, having more verifications in place, adopting more secure technologies, but also, limiting user capabilities in order to avoid at scale security incidents.

This isn't about Microsoft. Some of these "forced" limitations are: UAC (User Access Control)/SUDO, Bitlocker/Full disk encryption, App sandboxing/On-demand permissions, Signed firmware and boot mechanisms, signed release binaries, Jailbreak-protections, Limitations on raw packet operations, auto-installed updates, forced security updates, closed source code, built-in anti-malware.

When you have a billion devices running around the world, you can't say "hey we'll let this arbitrary group of billion people do what they think is best for them", because you then end up with Blaster worm, and the whole Earth falls apart.

Think about the more recent CrowdStrike incident. That kind of deployment has been performed by professionals, not even regular people, and yet, it's managed to bring down the entire world to its knees. People might have died because of CrowdStrike.

CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine. Now, people are begging Microsoft to adopt a more isolated, user-mode-only device driver system, so this kind of incident won't happen. Yes, some users who want to install their precious kernel driver could have problems, but at least the world would keep running.

Microsoft is nowhere to be blamed about this. Secure defaults is the responsibility of every product that intends to be used at scale.

If you'd like, you can disable Secure Boot, keep your data in plaintext on your hard drive, let all applications run as root, and you'd be the most powerful user in the universe. I'm all for personal freedom to disable the security features, but, at scale defaults must always prefer security over capability. That's not about Microsoft, or Google, or Apple. That's about at scale risk management.

userbinator
0 replies
15h9m

Blaster was Microsoft's own incompetence. CrowdStrike was CrowdStrike's own incompetence. They are free to fix the problems of their own doing. But messing with software you do not own, on machines you do not own, crosses a line and should be considered an act of aggression. What if some Linux distro releases an update that deletes any installations of Windows it finds "because Windows is insecure" (according to them)?

people are begging Microsoft to adopt a more isolated, user-mode-only device driver system, so this kind of incident won't happen

Those people are, to put it bluntly, either authoritarian idiots or corporate shills. They want to give more control to Microsoft, but it's not like M$ is all that competent either, as what this article and past fiascos (like the Blaster you mentioned) have already shown, so they're going to just make things worse for everyone.

CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine.

And crimes happen because people still have freedom. Doesn't mean we should start imprisoning (or enslaving to the machine) everyone from birth.

"Freedom is not worth having if it does not include the freedom to make mistakes."

trelane
0 replies
3h47m

When you have a billion devices running around the world, you can't say "hey we'll let this arbitrary group of billion people do what they think is best for them", because you then end up with Blaster worm, and the whole Earth falls apart.

The bug is in the fact that billions of machines are running exactly the same proprietary software.

Following the "virus" metaphor, having billions of identical organisms is how you get pandemics, mass die-offs, and extinctions.

account42
0 replies
9h36m

The Blaster rworm did not in fact make the whole earth fall apart. Stop scaremongering.

When you have a billion devices running around the world

This is exactly the point: Microsoft does NOT have those billions of devices, their users do.

CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine.

Crowdstrike happened because the corpration behind it had direct control over the computers it was running on and the ability to install security updates without the user's consent. They even ignored configuration that was supposed to delay updates for critical machines. Spinning this as some kind of failure of user empowerment instead of a consequence of the same kind of ownership inversion that secure boot and other DRM brings is absurd.

at scale defaults must always prefer security over capability

And that's exactly how you end up in a dystopia. Because the demand for increased security never ands and can be used to justify any and all loss of freedom.

zahllos
0 replies
5h35m

At the time of opening this page this was the top-ranked comment and that is a bit depressing. If you read Matthew Garrett's blog in full, you can learn quite a lot about what went into the process of building out secure boot for Linux.

* The UEFI Consortium via their spec mandates nothing, but Microsoft (not mentioned here, but to stick Windows stickers on your boxes and get WHQL for your hardware) requires carrying their db keys: https://mjg59.dreamwidth.org/9844.html

* You can take control of the process yourself and evict Microsoft's keys: https://mjg59.dreamwidth.org/16280.html the details are sort of in here, but let me summarize it for you: by default the platform key is provided by your manufacturer, which signs a key-signing-key, which itself signs updates to the DB (what you can boot) and DBX (what won't boot even with valid signatures). As the article says, x86 specifications explicitly require that this database be modifiable, so you can always install your own keys. I did this for a while, and on my laptop I evicted Microsoft's keys entirely. Ultimately you can bypass this if you can bypass the BIOS password simply by resetting the database or disabling secure boot and... well, https://bios-pw.org/ .

* The whole thing was built so that you can re-sign your own kernels and other bits if you want (you could just sign your distribution's db keys with your KEK, which will make OS upgrades smoother): https://mjg59.dreamwidth.org/12368.html

* Here is an article on secure versus restricted boot: https://mjg59.dreamwidth.org/23817.html - I said above that the x86 specifications explicitly allow the key database to be modified (Microsoft's ARM devices were the inverse).

Now some non-Garrett points:

* To be affected by Windows Update, you need to run Windows. Tautological and true!

* If you update your firmware via, say, LVFS (https://fwupd.org/) and your distribution via its standard tools you get updates to things like dbx all the time. All from your hardware vendor and friendly FOSS folk, no Microsoft involved. You might even be using SBAT right now.

* Those Talos II boards people like? They also have secure boot. It is entirely optional and since Microsoft only implemented a "kinda" version of NT for PowerPC, they're definitely not involved. It is not UEFI, since there's no UEFI for POWER (there is for ARM and RISCV though). You also aren't getting anything from LVFS and barely anything from your distro, but, secure boot is there. You can turn it on.

Personally, providing I can control the keys and decide what is and is not trusted and whether I use it, I am fine with it. Depending on what you want to achieve, secure boot is not always unreasonable, and neither are TPMs - small example, software exploits won't be able to successfully modify the boot chain if you have good key management (i.e. you sign elsewhere). They also have their limitations - as usual, physical access is hard to defend against and remote attestation is a hard problem all around.

fsflover
0 replies
3h12m

I agree with everything except this:

Things like TPM and "secure" boot were never envisioned for the interests of the user.

I am successfully using TPM with coreboot and Heads, with my own keys, to protect against boot attacks on my Librem 14 with Qubes OS.

rwmj
32 replies
1d8h

I really hate the error message from shim (or SB in general) when a security check fails. At tell me what exactly failed and what I could do to fix it.

xnzakg
14 replies
1d7h

Seems to be a general trend in a lot of software nowadays. Vague error messages telling you "Something went wrong" with no additional details.

immibis
5 replies
1d6h

It's not a new trend - error-code based software would propagate that ERROR_INVALID_PARAMETER all the way from the function with the invalid parameter back out to the return value of the user operation, then helpfully tell the user "Invalid parameter!"

Exceptions with string messages and full stack traces might be yet another underrated Java invention.

chuckadams
1 replies
1d5h

Dr Watson is still a thing for getting tracebacks. Doesn’t work for kernel mode of course, but most things don’t.

immibis
0 replies
20h58m

Do you ask your users to run some weird debug tool when the dialog box says "Invalid parameter!"

Does it help? The stack trace at the point where the dialog box is displayed is useless.

ziml77
0 replies
1d4h

God that error is nearly useless even to the developer. Last couple of times I've gotten it, I've dropped the DLL that the error originates from into Binary Ninja and run the debugger to figure out which parameter failed a check.

dwattttt
0 replies
20h8m

I've most recently embraced more complex error objects. It's quite a feeling to get an error description a la

  Failed to open configuration file
  Caused by: 
    Failed to open path PATH
    Error access denied

ack_complete
0 replies
23h7m

Even that at least helps rule out the most common issues, and is less frustrating than an update pooping out 0x80070070 and making you manually translate it to ERROR_DISK_FULL.

ctroein89
1 replies
1d1h

Good error messages are hard. You want to tell the user what to do, but if you knew that the error could be thrown, you probably should have been gracefully handling the problem. You don't know what information is useful to a hacker and you don't know how your error will be propagated. Meaningful errors at one level ("incorrect parameters passed" when calling an API) is perfectly useless at another level ("incorrect parameters passed" when interacting with a React UI). And if you respect all of the above, at some point you'll end up with an error message that basically says "I can't tell you what, why or how something went wrong, but it did."

rolph
0 replies
1d1h

all information is useful to a hacker. if you can find a way to use information beyond creators intent, to achieve your goals regardless of hat color, you are hacking.

ben_w
1 replies
1d6h

I grew up with "System Error Type 11" (or whatever the exact quote was, hard to find on google).

I think the only button on the dialog box was "Restart".

wpollock
0 replies
19h51m

One of the humorists I worked with at Bell Labs in the 1980s would always report error code 13 as the error when no more specific error code was available. When one looked that up in the man page, it just said "you are unlucky".

Cthulhu_
1 replies
1d1h

There's two directions that goes into. Highly specialized error codes with zero results on search engines, or overly generic errors with a billion results and underlying reasons.

Error design needs to be its own subject / specialization. Errors need to say what the problem is and how to fix it, in an ideal world, or what the user can do or should google to solve it.

And of course, any error code of any public software should be listed on a website or a locally accessible resource.

akira2501
0 replies
21h18m

This is where I really love mainframes. The errors all contain a consistent code and a description. The codes are all published, are easy to find nowadays, and have generally good documentation attached to them.

Here's an IBM example, for just a single OS facility: https://www.ibm.com/docs/en/SSLTBW_2.4.0/pdf/hasa100_v2r4.pd...

wongarsu
0 replies
1d3h

Something went wrong frowning smiley. Our engineers are probably working hard on fixing it right now.

kccqzy
0 replies
1d3h

This is why I strongly prefer working on software made by developers for developers. That is to say, internal tooling. You can just show the entire error message in as much detail as possible, without a PM stepping in and saying you can't show this much scary text to the typical user. Especially if the user of the software also has easy access to your source code so they can search for the exact string and find the exact location of the error, and understand exactly what checks are being done to emit that error.

fmajid
7 replies
1d7h

Or at least include a URL to a web page explaining the error and what you can do about it

zokier
5 replies
1d6h

I think Windows BSOD including QR code was pretty clever idea, although unfortunately it's halfbaked in that it's just a fixed generic URL instead of something specific to the error.

syene
4 replies
1d5h

The problem with bootloaders is they really can’t spare a lot of storage. Storing different QR codes for all the common errors might be asking too much.

antonkochubey
1 replies
1d3h

Currently EFI partitions are on the order of 300-500 MB for common installs, that'd allow you to store millions of PNG-compressed QR codes.

Or even better, a small library which'd allow bootloader to generate it on the fly.

fmajid
0 replies
11h40m

On my system the full qrencode binary is 85K, and it supports a lot more output formats than needed in this application.

http://fukuchi.org/works/qrencode/index.html.en

That said, with iPhone cameras supporting live OCR and URL detection, a QR code would be unnecessary.

Dylan16807
0 replies
21h15m

A 50 character capacity QR code requires a whopping 137 bytes to store as a raw image.

Cthulhu_
0 replies
1d1h

You don't need to store the whole QR code, just code to convert an URL into a QR code. Or a good, short URL that can easily be typed, e.g. "microsoft.com/errors/1234"

Yoofie
0 replies
1d6h

No please don't do this. I have lost count how many times I tried to follow a link only to get a 404 page. If there is an issue where the app gives the user an error, show the error details & context directly and list the possible mitigation steps right then and there.

A URL with specific content is just another thing that now needs to be maintained along with the code and failure modes.

zokier
4 replies
1d6h

shim has an EFI variable to control its verbosity, you can set it to output all the gory details with e.g. `mokutil --set-verbosity true`, and on a glance there are some tools on Windows too to modify EFI vars

rwmj
2 replies
1d6h

Why wouldn't that be the default?

wongarsu
1 replies
1d3h

Because most users are afraid of gory details. And the people who know enough to fix it are expected to somehow know how to turn on logging. It's the modern equivalent of "please contact your administrator"

rwmj
0 replies
1d3h

The first thing the "administrator" will need is all the details. If they were printed, the person reporting could at least send a screenshot or similar.

IshKebab
0 replies
1d5h

Handy for the 7 people in the entire world who a) knew this existed and b) bothered to change it.

(Realistically I expect that's mainly used for debugging purposes for the Shim authors.)

imchillyb
2 replies
1d3h

If security vendors followed this logic then all an attacker would have to do is look up the error and render the security moot.

By leaving the reason vague an attacker has no immediate feedback and no clue how to remedy.

I vastly prefer the way this works now.

wtetzner
0 replies
1d2h

The only way this could be an issue is if it's entirely relying on security through obscurity.

saagarjha
0 replies
18h9m

Attackers are smarter than you give them credit for

kccqzy
0 replies
1d3h

I hate error messages from most software. Recently my system failed to boot because systemd told me a start job is running for a certain disk. And it doesn't tell me what the nature of the start job is, why the start job is needed, and why the start job is not finishing. From the disk UUID I could guess the first two, but there was no way to guess the third.

mtlmtlmtlmtl
26 replies
1d7h

This sort of thing is exactly why I have automatic updates disabled on my Windows partition. I've been burned so many times by bad Windows updates breaking stuff. My favourite is when stuff breaks during the "configuring updates" stage after a reboot, leaving Windows in a boot loop with no error codes or anything to help you figure it out. And of course the documentation from MS is utter garbage. Most of the time the only solution I found was to reinstall Windows.

Now I always google around a bit before applying any fresh Windows updates to see of there's any breakage reported.

moffkalast
13 replies
1d6h

I hate to say it but the best way to use windows is to install it, fully update it, nuke the update center, obliterate the update services and leave just defender updates enabled. Then when it's too out of date in a few years, reinstall and repeat.

The result is a rock solid reliable experience that even an LTS linux can't match. Nothing ever breaks, every new piece of software works since it's all mostly self contained, backwards compatible, and not dependent on 13543 dynamic apt deps that all need to be at a specific version. I thought flatpak would fix this on linux, but every time I flatpak itself updates half of its apps break with mysterious error messages and refuse to launch until they're also updated. It's a pretty shit execution what could've been a great windows equivalent. Okay? Okay. Rant over.

9dev
5 replies
1d5h

This is really bad advice—don't follow it. Zero day vulnerabilities are a thing, and you intentionally prevent yourself from getting those fixed quickly. Running critical software without updating may have been possible in some distant past, but it isn't any longer: You will catch an exploit or crypto locker at some point.

Microsoft abusing its update mechanism to pushing crap is nothing new, but downright refusing updates ins't the answer either.

moffkalast
3 replies
1d5h

When a windows update destroys your install, is it really any different from actual malware? I consider it one and protect myself accordingly.

At least you can be careful about the rest with adblocking, sandboxing and being irrelevant enough to not make your machine a target for anyone competent, which gives you a pretty great chance at avoiding them. If you keep built-in malware (and in recent versions, also spyware) running, then getting screwed by it is a certainty. Personally, I'll take my chances and I think the average HN user would not have any problems doing this, but I wouldn't really recommend this approach to someone that's not tech savvy. I'd give them a Chromebook instead.

9dev
2 replies
1d4h

At least you can be careful about the rest with adblocking, sandboxing and being irrelevant enough to not make your machine a target for anyone competent, which gives you a pretty great chance at avoiding them.

That maybe used to be a thing, but isn't anymore really: There only needs to be a single, unpatched vulnerability in your network stack, the multitude of devices around you, whether at home, work, or in a cafe, none of which you control, might exploit.

And one more little piece of trivia; high levels of expertise usually come with increased negligence on the basics, because you're less careful. This affects pilots and nerds alike; just think of Ross Ulbricht.

Good luck :)

moffkalast
0 replies
1d2h

Yeah all it takes for to drop dead is a single blood vessel bursting in one's head, one careless driver, one wrong thing eaten, one wrong step and you fall and break your neck.

It's always one unlikely thing. I don't think living in such paranoia is a life worth living tbh. Some small risks you just accept to live normally, and 99.9% of the time it'll be alright. With 2FA and other multi device safeguards the risk is acceptable. Frankly authentication for things has gotten so bloated that even the actual user has a hard time logging into things these days.

Frankly I'm more worried about losing or damaging my phone, if that happens then I'm far more screwed and it's a risk we all accept every day. I keep it in aluminium armour to de-risk :)

JohnFen
0 replies
1d4h

Windows updates are too dangerous to trust automatically. I've been burned to various degrees too many times to think otherwise. If Windows is too dangerous to use without automatic updates, then it's just too dangerous to use, period.

duped
0 replies
1d4h

Zero day vulnerabilities are a thing, and you intentionally prevent yourself from getting those fixed quickly.

And yet, Windows updates are a bigger threat to me than malware.

coldpie
4 replies
1d4h

I thought flatpak would fix this on linux, but every time I flatpak itself updates half of its apps break with mysterious error messages and refuse to launch until they're also updated.

Linux oldheads could've told you this would happen before the project was even created. We solved package management and dependencies in the 90s and no one has improved on it since. Just stick with stuff in your distro's repos. If it's not in the repos, don't use it. Problems gone.

moffkalast
3 replies
1d2h

Yeah alright but people want to like, do things.

coldpie
2 replies
1d2h

If you want to use proprietary software, yeah, you should use Windows. It's built for that. For better or worse, Linux really isn't.

Edit: Or use Windows binaries with your distro-provided Wine. Win32 is the only stable user-level Linux API.

moffkalast
1 replies
22h18m

Going for a windows build with wine instead of the Linux build sounds completely crazy, but then again Proton works exceptionally well on Steam so this might genuinely be the more long term stable option. I'll have to try that out lmao.

coldpie
0 replies
18h11m

Yeah. It's not the world I would've chosen, but it's the world we've got, lol.

whereistimbo
0 replies
1d4h

Okay? Okay. Rant over.
ParetoOptimal
0 replies
1d5h

The result is a rock solid reliable experience that even an LTS linux can't match.

NixOS because of its generations has been extremely stable for me for years.

Have an issue? Reboot, select yesterdays generation (similar to but better than restore point), and keep working.

BaculumMeumEst
7 replies
1d6h

My Windows install is stuck in a boot loop like this - it spends 10 minutes trying to update and then fails, except maybe 1/3 times it then boots normally. I don't even try to do anything about it, I just marvel at it.

pohuing
2 replies
1d4h

Do you dual boot? That's what mine did when the efi partition was too small for grub and windows' bootloader

BaculumMeumEst
1 replies
1d3h

Yeah, I dual boot. I think my efi partition is around 100mb. I forget if Arch puts just one backup kernel in there, but I feel like I saw a lot of garbage in there once that I had to clear out. Maybe that's the problem, will investigate, thanks.

Macha
0 replies
1d1h

Yeah, 100mb has been insufficient for some windows updates for me in the past. New windows installs create a 500mb EFI, but Windows 7/8 created a 100mb EFI and kept it if updated to Windows 10. Unfortunately resizing it is a pain, as the EFI partition is normally before your Windows partition.

mtlmtlmtlmtl
1 replies
1d4h

Yeah, it turns out applying updates during boot is bad design. I'm sure plenty of people at MS realise it is, but I guess they don't care enough to fix it.

mixmastamyk
0 replies
1d2h

Windows can’t replace running executables, so needs to reboot. Fundamental design not easily changed.

qludes
0 replies
1d6h

I have a Thinkpad that did something like this, it would try to install updates, fail and eventually boot into some kind of recovery wizard that demanded the bitlocker key. That wizard wasn't able to actually fix anything either but after failing a few times the system finally would uninstall the update. The whole process took over an hour with zero feedback.

I had to switch to Linux just to get a machine I could rely on.

cooljacob204
0 replies
1d4h

Last time I saw a computer do that it was due to bad memory sticks.

detourdog
3 replies
1d7h

The last time I had to manages windows I used Unattended to wipe and re-install to a base level. I found that diagnosing and troubleshooting was not worth the effort.

https://tgup.net/

gcr
2 replies
1d7h

How does tgup compare to ninite? The latter seems more polished and older/stable, with more software available.

https://ninite.com/

detourdog
0 replies
1d3h

no idea. This was the early 2000s. I'm sure it's based on the same thing. I set-up a netbsd box as the server and could hook up as many laptop as I had network ports. I would then just hit the enter key or perform a few manually steps when things couldn't be automated.

I'm sure it's all based on silent install or the /s switch for install.bat. If my memory is working.

1oooqooq
0 replies
1d5h

if you're at a point you need either of them, just hire someone too work on the oem scripts.

for personal use, not really worth it imo

if you're installing the right version of windows (Enterprise ltsc) it's already one click install. and your applications will change every week anyway.

notarealllama
20 replies
1d7h

<Tinfoil hat> I think there's more than meets the eye here. I think part of the reason MS is enforcing TPM2.0 and now this SBAT update is that there is widespread rootkit level malware and they are trying to stay ahead of the curve. </Tinfoil hat>

When it comes to the realities of dual-booting, I had tons of problems with Win7/8/10 with suspend-to-hiberfile.sys issues and updates 10 years ago breaking grub. 10 years ago I finally decided, "You know what, I'm just going to run Linux, if I really need Windows or Mac, I can run a VM or use a separate spare computer."

Since then I have successfully setup Secure Boot for my distro, learned how to tweak QEMU for performance and passthrough, got a working QEMU macOS VM (although having to update every few months to keep XCode working is a pain), and generally pretty happy with the state of affairs.

jpnc
6 replies
1d5h

tweak QEMU for performance and passthrough Any guide you could link to that covers all of this? I would like to setup a very performant windows VM.
Arnavion
4 replies
1d1h

Or a single GPU that supports SR-IOV, but AFAIK no consumer-grade GPU provides it.

NekkoDroid
2 replies
1d1h

IIRC Intel iGPUs support it and I read somewhere that their dGPUs do as well, but I might be misremembering.

robotnikman
1 replies
19h26m

Well that's one big feature that would entice me to buy an intel gpu in the future

NekkoDroid
0 replies
6h7m

This is also the only reason I ever thought of buying an Intel GPU, but then I realized "Wait, if I am buying a new GPU I can just use my old GPU for host/passthrough. I don't need a new GPU that is roughtly as good as my current one just for SR-IOV, I'd want one at least much better than my current one" (RX 5600XT, not really top but it does its job)

transpute
0 replies
19h43m

Intel 11th generation (Tiger Lake) clients onward have Xe* iGPUs with SR-IOV.

bongodongobob
4 replies
1d4h

Ubuntu regularly locks up and black screens when I try to sleep/hibernate. It's a very common problem that has nothing to do with Windows or Microsoft. I also have had 0 issues with dual booting for roughly 10 years now. HN wouldn't be HN without some baseless MS bashing.

HumblyTossed
2 replies
1d1h

I have had occasional issues with Windows and various flavors of Linux hibernating but nothing that happens with any regularity - at all - and nothing that can't be solved by simply rebooting.

unethical_ban
1 replies
1d1h

I shouldn't have to reboot in order to fix sleep or hibernate. Their reason for existence is to avoid the need to shut down and restart.

HumblyTossed
0 replies
1h54m

Did you read anything else in my comment?

h4ck_th3_pl4n3t
3 replies
1d4h

When it comes to the realities of dual-booting

The sad and depressing part is that along the way we lost all possibilities of running coreboot or libreboot as an open alternative.

The only real option is to buy a used laptop from before the T44x generation (if you really want it secure)... or newer machines that come with other perks like soldered-on batteries that destroy the mainboard along with them when they leak out eventually.

I am not sure what the consumer rights protection agencies on the planet are doing, but seemingly they've been asleep at the wheel for way too long now.

(Tinfoil hat) (...) I think part of the reason MS is enforcing TPM2.0 and now this SBAT update is that there is widespread rootkit level malware and they are trying to stay ahead of the curve.

The only vendors that seem to do something against it are somewhat System76, Frame.Work, Purism and maybe Starlabs. But the huge majority of devices is under the absolute control of Microsoft's signing process now. So I would argue that this isn't a tinfoil conspiracy, but a strategical decision that MS made to re-grab their lost power on x86 systems.

mixmastamyk
1 replies
1d2h

Framework comes with Intel ME enabled, not able to be disabled, and barely updates their firmware. For example, they left logofail unpatched for a year.

h4ck_th3_pl4n3t
0 replies
12h1m

As I said, the better option would be a pre-Haskell era CPU so that you can flash libreboot on it and don't have to worry so much about intel-ucode, but that would also imply a more than 10 years old laptop.

I just wish there would be more free and open options.

The RISC V meme of the Hackers movie from the 90s is now so old that it's never gonna happen anyways. Those CPUs are nice and all, but you're even better off using a Pentium CPU performance wise, and that's a 20 years old CPU.

transpute
0 replies
19h38m

Novacustom in the EU offers laptops with modern (Intel FSP binary blob) coreboot and optional HAP-disable of Intel ME.

blueflow
0 replies
1d6h

widespread rootkit level malware and they are trying to stay ahead of the curve

Microsoft is within US-legislation. So a three-letter agency already has the keys and their spyware is a signed UEFI module.

Avamander
0 replies
3h57m

[...] there is widespread rootkit level malware and they are trying to stay ahead of the curve.

There literally is. BlackLotus bootkit actively abuses a vulnerability Microsoft has been trying to patch (by updating the blacklist the vulnerable bootloaders) for the past two years and it's still ongoing AFAIK.

1oooqooq
0 replies
1d5h

hibernate always have been more trouble than it's worth. and specially now when boots takes less time than loading your webmail.

it just screams you have no data hygiene. it's the extra step after living years with 723 open tabs.

qemu passtrhu is the way. and if you don't own expensive hardware (i.e. only integrated graphics like all feasible laptops), just dual boot with your own signing keys so you don't have yo worry about revocation crap. either its signed or not. revocation is just replacing the root PK keys.

kuon
14 replies
1d6h

Isn't secure boot the first thing you disable when you install linux?

dripton
3 replies
1d2h

I installed Linux on a new laptop yesterday, and couldn't get either NixOS or Debian to install until I turned off secure boot. So I guess these distros don't bother getting every release signed by Microsoft.

At least it was easy to turn off. I just wish the error message mentioned Secure Boot -- it took me a few minutes to figure out what was wrong. At first I thought I had a corrupt USB stick or something.

teddyh
0 replies
1d

You don’t always have to disable Secure Boot; it usually works with just changing some “OS Type” from “Microsoft” to “Other”.

cesarb
0 replies
1d

There are two separate Secure Boot keys Microsoft uses: one which they use to sign Windows, and another which they use to sign everything else (the "Microsoft 3rd Party UEFI CA"). AFAIK, some recent laptops with Windows preinstalled come by the default with the second one disabled in the BIOS (it's a new Microsoft requirement). To install Linux on these laptops without disabling Secure Boot, you have to go into the BIOS and enable that key.

Arnavion
3 replies
1d2h

You could if you want to, but if your distribution provides a UEFI bootloader (shim / grub / systemd-boot / whatever) signed by the default MS-trusted cert, or you're willing to set up everything yourself with your own certs, it doesn't hurt to enable it either (except when an incident like this happens).

zahlman
2 replies
23h55m

The Mint forums pretty much tell everyone to blanket disable secure boot because nobody seems to know how to make it work, certainly not well enough to explain it to a beginner.

hypeatei
0 replies
5h41m

I accidentally checked "install media codecs" on the Mint installation which requires secure boot. Didn't think much of it but something went wrong later on in the setup causing a restart. Well, it left the secure boot stuff in a weird state and forced me to reset the CMOS because nothing was working or booting.

Arnavion
0 replies
30m

Maybe. From what I know of sbctl I think it would be fine for a beginner, but I can't say for sure because I use my own custom setup, not sbctl.

wilsonnb3
1 replies
1d2h

Depends on the distro, Fedora for example works with secureboot enabled.

If you are using Nvidia graphics you have to deal with signing the kernel drivers but it is pretty easy, AMD or Intel works out of the box.

red-iron-pine
0 replies
4h40m

Yeah I thought Red Hat fought to get their keys installed in there, too. Which is why Fedora and RHEL (and derivatives like CentOS or Rocky) work alright OOTB

0cf8612b2e1e
1 replies
1d2h

This has been my stance for years, but I am open to be persuaded why this is a terrible practice that will lead to kitten murder.

I saw someone else give a similar reasoning that if there were a booting error, they would never assume it was a rootkit, but some breakage between all of the booting cruft. I certainly lack any expertise to understand what happens during boot to be able to diagnose problems.

Sophira
0 replies
17h5m

My stance is similar: I insist that any computer I use to run my main OS uses the CSM (Compatibility Support Module) method of booting. This effectively eliminates UEFI's role completely after control is handed to the bootloader, using the pre-UEFI boot method of locating the first sector of the boot device and executing that.

As a user, I see very little benefit to using UEFI.

jeroenhd
0 replies
3h58m

Most mainstream distros work fine with secure boot still enabled. You can disable it if you want, but if you use Bitlocker, disabling secure boot will require you to enter the recovery key, which is a massive pain.

You can always disable secure boot if you want to, but in this case installing the patches released two years ago would probably be a better fix.

genpfault
0 replies
1d5h

Sure is if you want to hibernate!

pjc50
11 replies
1d5h

Something seems to be wrong with the whole security model.

those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain

This feels like a "my secure compartments are all connected together" moment. If Microsoft want to verify that they're in an all-Microsoft boot chain, sure, whatever, fine. But somehow the compromise of any loader allows compromise of Windows? And in turn Microsoft are able to break grub installations? Why is that acceptable?

(also, I feel a bit "I told you so" about this. Back when all this was being introduced I felt that (a) secure boot increases the risk of locking you out of your machine and/or data loss and (b) a situation where Linux is dependent on the collaboration of Microsoft in order to boot is very dangerous long-term.)

eightysixfour
6 replies
1d5h

This feels like a "my secure compartments are all connected together" moment. If Microsoft want to verify that they're in an all-Microsoft boot chain, sure, whatever, fine. But somehow the compromise of any loader allows compromise of Windows?

Exactly how would you propose starting software securely from an unknown environment?

Back when all this was being introduced I felt that (a) secure boot increases the risk of locking you out of your machine and/or data loss

So does a password and encryption.

skywhopper
3 replies
1d4h

Exactly how would you propose starting software securely from an unknown environment?

Accept that it’s impossible?

wongarsu
0 replies
1d3h

So don't do secure boot at all rather than saying "when one step in the boot chain is compromised that can compromise all later steps"? How is that a better security model?

warkdarrior
0 replies
1d3h

Giving up is certainly an option, but it is not the preferred option for some people (myself included). A partial option is definitely better than giving up, as long as it is well understood.

In this scenario, people who are ready to give up can simply stop updating their software, which will solve their issue. YMMV of course.

eightysixfour
0 replies
1d3h

Okay, so then you need to know the environment, which leads us to secure boot. It isn't perfect, but it is better than nothing.

throwawayqqq11
1 replies
1d

What you need is source of trust and right now its signatures which are outsise of the users control.

A 5 cent hardware button which gives you a small time windows to install a new trusted bootloader could achieve the same thing without trusting microsoft.

kevingadd
0 replies
18h59m

This doesn't actually address some of the scenarios SB is intended for. I.e. you're an IT administrator, you manage a fleet of 1000 machines, you want to ensure that they are all running secure bootloaders and secure kernels and secure software, top to bottom. In that scenario, every end user having a little "security vulnerability" button they can press if they get bored (or feel like being malicious) isn't appealing.

Having to send someone out to press the button at a thousand desks in order to update the bootloader? Also not appealing.

mjevans
1 replies
1d1h

It was never designed to Empower the (end) User.

This is vaguely the experience that should have been present in an Empowered User centric BIOS.

First cold boot; BIOS verifies the hardware isn't broken, checks for a boot preference, finds none.

Present the User with a set of choices: Check for BIOS Updates (manufacturer), Check for OS Choices (manufacturer), Begin installing an OS (options list). Locally cached (present with the system) choices would be listed first. Microsoft Windows (installer) is probably OEM shipped (might not be). Linux / DistroName plugged in USB device, etc... 'Local Network boot (search)', and 'Install from the Internet' (shipped by manufacturer or added by local preference).

The BIOS would also support enrolling ANY signing keys of local preference with user confirmation. This should happen even at first boot for the keys known by the manufacturer; they shouldn't just be in there for free, confirming the key with the user should be part of the flow.

The BIOS _MUST_ also support multiple bootable entries, even if one is the default (without a timeout, even with only manual selection E.G. F12 / F11 / whatever... though this too should be standardized).

akira2501
0 replies
9h20m

The best BIOS would be no BIOS, just find a drive, check for a boot sector, then boot from it. Have an internal USB slot that always gets boot priority for service and for advanced use cases.

The point of personal computers is to make _personal_ computing easy. Everything else can just be an add on.

BlueTemplar
1 replies
1d1h

I have seen recommendations to not dual boot with non-obsolete Windows, because its updates would have a high risk of screwing up grub, but instead give that Windows it's own hard drive, and boot it 'manually', by selecting the boot drive at startup in the 'BIOS'. Sounds like that was good advice ?

rolph
0 replies
23h56m

Personally, as part of powerup procedure, i use a hot swap bay, and select a ddrive from a rack, for the work i have in mind.

dathinab
6 replies
1d3h

I do something similar on all my laptops:

- have custom secure boot platform key

- use a unified kernel image (UKI) which means I directly boot the kernel from efi (and place it in the efi partition)

- sign the image with that platform key (I use sbctrl)

- have every thing else including swap partition for hybernation fully disk encrypted, I could set it up to auto unlock using TPM2 but I would recommend using a long password. TPM2+password would be optimal. There had been too many cases of leaky TPMs and especially on a laptop you don't want to fully rely on it (through you in turn could decide to auto login if PCRs are unchanged, or login using only the (often not so secure) fingerprint reader etc.)

- efi password, I mean if you don't set that you lose most secure boot benefits... EDIT: Not really most, there is still a bunch of ways it helps but it's anyway a bad idea to rely on secure boot and not have a efi password

As bonus tip:

- include the vfat in your initramfs (i.e. `MODULES=(vfat)` in `/etc/mkinitcpio.conf`) if your booting kernel and installed kernel modules ever mismatch that is nice to have to fix the issue

jcalvinowens
3 replies
1d2h

I could set it up to auto unlock using TPM2 but I would recommend using a long password. TPM2+password would be optimal.

Personally, I trust LUKS with passphrases far more than I trust some random proprietary hardware implementation nobody can audit...

It's also important to me to be able to recover the disk contents with the passphrase on another machine if the motherboard dies. Maybe that's what you meant (backup passphrase), but I think you meant requiring both?

dathinab
1 replies
1d1h

I meant:

- I'm only using a long password

- but it would be optimal to require PCR values and password

Note that in any case where you use PCR values you always should setup a secondary way to unlock the partition. Or else you will lose your data if some of your hardware measured into a PCR breaks.

Requiring both is optimal as it 1. doesn't rely on TPM/PCRs but 2. prevent certain attack vectors possible with password only but not possible with PCRs. Through you now also have to manage a backup unlock method. Which is annoying. And the security benefits are negligible/irrelevant for most people. Which is why I don't use it.

3np
0 replies
16h54m

Thanks for sharing your setup!

Nit: It's useful to distinguish between passwords (checked against a hash for auth) and passphrases (used for decryption). It's an important practical distinction because a lost password can in general be bypassed out-of-band somehow while a backup strategy for passphrases is essential.

p_l
0 replies
1d1h

In case of systemd-cryptenroll (and other LUKS-related systemd infra, even without TPM) it's systemd that handles the passphrase to generate a key to unlock LUKS device - possibly combining with a PIN or passphrase or also a FIDO-compatible device or a smartcard.

mixmastamyk
1 replies
1d3h

What are the details with a custom key?

dathinab
0 replies
1d1h

sbctl with package manager hook for automatically signing on updates etc.

keys are just stored on the device, for the typical laptop use-case this is good enough (platform key only used by a single device, no MDA or anything like that)

tostiheld
0 replies
1d4h

The "new" way of doing this would be using systemd-cryptenroll [0]. I did this recently on Ubuntu 24.04. I actually tried the default LUKS+TPM shipped with Ubuntu 24.04 at first [1], but it was a bit disappointing because it locks you into using snap-based kernels. This means you cannot install custom DKMS modules (which I needed). Although Clevis is very interesting software (you can even unlock based on some other computer in your network [2]), it's not absolutely required anymore for LUKS+TPM.

[0] https://fedoramagazine.org/use-systemd-cryptenroll-with-fido...

[1] https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-c...

[2] https://docs.redhat.com/en/documentation/red_hat_enterprise_...

ab71e5
8 replies
1d6h

Microsoft's stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself.

I wonder what went wrong here? If you would read the EFI boot order it would clearly say to boot shim first? Or were these dual boot setups where the user would use the firmware menu to select linux or windows?

Anyway this comes at a time when I want to install linux on my work PC, since it has two nvme slots I think I'll go with installing it on a completely separate drive. Would have not prevented this issue though, which seems a legitimate fix from microsoft, just bad communication.

HumblyTossed
3 replies
1d1h

MS has zero vested interest in caring. If they brake booting for Linux users, how does that hurt them in any meaningful way? Sure they get some press, but is it bad press if most people are never affected by this?

efitz
1 replies
20h47m

I worked for Microsoft for 17 years, most of that in and around Windows.

I can tell you that you are wrong. Whatever the company’s flaws, the people in Windows care deeply about compatibility and about not breaking things with updates. I have hours of stories from the trenches, and could probably talk at length about how such a point of view would be suicidal for the Windows business.

I don’t know what went wrong here, and I’m not saying Microsoft is blameless. I am saying that whatever went wrong was NOT due to lack of caring about breaking things, even non-Microsoft stuff sharing the same computer.

3np
0 replies
16h48m

I think there's a distinction between individuals caring and the corporate ("more than the sum" of individuals comprising it) caring.

In that sense, I don't see your experience as invalidating the statement "MS has zero vested interest in caring"?

systemBuilder
0 replies
23h21m

It makes Linux more robust. Since Microsoft is the king of vulnerability, making Linux more robust is NOT in their best interest. I actually think Microsoft did a GOOD THING. This should create a mad scramble to tighten up security at all those lackadaisical distros!

TiredOfLife
1 replies
1d4h

People that dualboot are probably also people that run random debloat scripts that disable telemetry. So when such system broke there was no signal it happened.

HumblyTossed
0 replies
1d1h

Doubtful. I don't.

thomastjeffery
0 replies
22h2m

Microsoft's bootloader is clearly intended to be a pain in the ass. There is nothing new about this situation. They have been doing it since the 90s when any windows update would write over your MBR without a care in the world. We all hoped that UEFI boot menus would resolve the situation. They would have, if only Microsoft were willing to stop intentionally polluting everyone's partitions. Instead, it is not only the default, but the only option, for the windows installer to squat in the first EFI System Partition it sees. That means that if you install linux first and windows second, windows will install its bootloader to your ESP. Even if it's too small. There is no way to disable this behavior. It's asinine.

P.S. The ultimate irony of this situation is that it actually ends up breaking concurrent windows installs more often than anything else.

iam-TJ
0 replies
1d6h

From the people reporting this affecting their Linux boots in various IRC/Matrix forums and my diagnostics with them, very often they weren't dual-booting in the Microsoft sense, in that they were booting using the UEFI Removable Media Path so there was no entry in the motherboard firmware's Boot menu.

I suspect the MS installer simply scans the EFI BootXXXX entries and looks for a non-Windows boot-loader path like, for example, /EFI/$distro/shimx64.efi

If one-such doesn't exist the installer likely assumes it is not a dual-boot system.

pas
6 replies
1d8h

is it possible to update grub from Windows? or is it enough to disable secure boot, boot Linux, upgrade, reenable?

zokier
4 replies
1d7h

I don't see why you couldn't update grub from Windows, its just EFI binary in ESP after all.

mjg59
3 replies
1d7h

Distro grub is signed by the distro rather than Microsoft, so coordinating that would be extremely difficult

zx8080
0 replies
1d5h

MS could just sign it with whatever three-letter agency certificate they usually cooperate with. /s

cesarb
0 replies
1d6h

From what I understood, the parent's question is not about Microsoft updating grub; it's about a person hit by the bug, and thus in a situation where Windows boots but Linux doesn't, using Windows to copy the correct file (probably extracted from an updated package from the Linux distribution they're using) to the correct place in the EFI partition by hand.

(The first obstacle would be that AFAIK the EFI isn't mounted by default on Windows, but I believe it should not be hard to tell Windows to mount it and give it a drive letter.)

ab71e5
0 replies
1d6h

Why? You could just copy the binary and signature to your EFI partition from Windows? What am I missing here?

dwattttt
0 replies
1d8h

I wouldn't try update grub from Windows, but the second strategy would work.

Hydrocarb0n
5 replies
1d5h

IMO secure boot is a waste of time for most scenarios, if theres closed source EUFI code running god knows what in the background, it dosn't matter how signed and secure your OS kernel is.

Ive never been sucessfully able to dual boot windows and linux on a mobo with secure boot turned on, it seems that is a feature not a bug I'm sure MS would never influence hardware vendors to make it dissadvantage a growing number of linux users.

wongarsu
2 replies
1d4h

TLAs from major powers probably have backdoors in your UEFI, mainboard or OS. But even if they do that doesn't mean they will use them on everyone, they probably keep the good stuff for the most valuable cases. Each use of an attack carries the risk of the attack vector being discovered and prevented in the future. And besides, there are threat actors besides TLAs of the USA, Russia and China.

If you use full disk encryption secure boot is pretty essential, otherwise an attacker can modify the code that asks for your credentials to also log them somewhere easily accessible, circumventing your entire encryption. If you don't do full disk encryption it's still a decent protection against some bootkits.

It can absolutely be more trouble than it's worth. It's not that useful in most desktop computers. But if you are traveling with a laptop it's probably worth some effort to keep secure boot working on that system (and make it more difficult to disable)

mordae
0 replies
10h43m

If I am ever traveling to US, I am wiping the system, installing a clean, stock Linux distribution without any encryption, keeping everything valuable at home.

Once I am behind the border, I am reinstalling the system with encryption, then proceed to download key material and other important stuff from home over the internet.

I am never letting anyone near my unlocked laptop and if I ever find it turned off e.g. while visiting office toilet, I just assume it has been infected with firmware level rootkit and I am wiping it without decrypting.

If it's removed from my sight during the border check, I assume the same, purchase a new one in a brick-and-mortar shop and sell the infected one when I am back home.

account42
0 replies
8h36m

If you use full disk encryption secure boot is pretty essential, otherwise an attacker can modify the code that asks for your credentials to also log them somewhere easily accessible.

In what threat model? If the attacker has access to your PC they can just as well install a physical keylogger intercepting the signals from the keyboard.

The main use case for disk encryption is preventing data loss when the device is stolen. That's a realistic threat that people face, not boogeyment coming into your house and replacing your bootloader with a malicious one.

gorjusborg
0 replies
1d

I've been using 'secure boot' with Debian for a while now. They use a signed first-stage boot loader that allows booting the OS.

I have similar doubts on whether my system is significantly more secure as a result of using it.

1oooqooq
0 replies
1d5h

agree its a waste of time, but we pay the paranoid cost is special occasion. it does make breaking FDE just a little bit more annoying/expensive.

the only time it's worth the hassle for we to enable it: travel to the USA, Russia and most of africa (if the country have USA backed airport security, like uganda). pause updates, enable secure boot with a disposable key we don't store anywhere. that on top of the usual FDE with plausible deniability dual boot.

but we still prefer to just fly contributors with blank devices if we can.

Animats
3 replies
23h8m

Does this interfere with wiping Windows from a system and installing Linux? Or does installing Windows contaminate the TPM module permanently?

cesarb
2 replies
23h0m

Or does installing Windows contaminate the TPM module permanently?

It's not the TPM, it's a simple UEFI variable. AFAIK, there's a way in the BIOS to reset all these variables to their original default value, though you might have to use the "clear CMOS" jumper to do it.

Animats
1 replies
22h15m

though you might have to use the "clear CMOS" jumper to do it.

So installing Windows can break a computer for Linux.

That's a great antitrust issue. Microsoft should be fined for that.

Bognar
0 replies
18h58m

It's almost like you didn't read the article. Anyone can increment the variable, and both MS and the Linux communities agreed on the solution.

How dare Microsoft operate within the bounds of an agreed-upon industry standard, what a monopoly!

zokier
2 replies
1d7h

Major question for me is, are the grubs that are getting rejected completely unpatched, or were they patched by distros without updating the "security generation"?

I'd be also really curious to hear how MS was attempting to do dual-boot detection, I hope someone (more skilled than I) would reverse engineer that bit from the update.

ploxiln
0 replies
23h28m

I agree, this is the key question. It seems like all the distros, and microsoft, need to coordinate on the "security generation", whenever grub (or other linux boot component) releases an update or patch? Maybe that's an extra annoyance they didn't have before, so until now they just left that number alone, and kinda forgot about it?

ChocolateGod
0 replies
1d7h

Major question for me is, are the grubs that are getting rejected completely unpatched, or were they patched by distros without updating the "security generation"?

Reading into https://www.gnu.org/software/grub/manual/grub/html_node/Secu...

It's possible it's both?

I'd be also really curious to hear how MS was attempting to do dual-boot detection

I'm in the boat that they shouldn't doing dual boot detection at all, it sounds like everyone agreed to use SBAT to stop vulnerable bootchains from being exploitable and some Linux distributions got caught slacking.

offmycloud
0 replies
18h15m

Thank you. I had a similar problem in Firefox 129.0.2 on Linux.

stonethrowaway
1 replies
1d4h

Short version: Secure Boot Advanced Targeting and if that's enough for you you can skip the rest you're welcome.

Based. Unfathomably based.

spathi_fwiffo
0 replies
21h35m

agree; defined long acronym immediately in article.

i'll probably read the test, but that's some high quality posting from the get-go!

skywhopper
1 replies
1d4h

Interesting. The question that immediately popped into my head was: How does the secure boot system determine the “security generation” of GRUB exactly? Sounds like just based on the assertion of GRUB itself (and trusted signature of the distribution that built GRUB)?

The fact that the list of allowed GRUB versions is itself manageable via a Windows Update points to some other issues with this particular security scheme, given Microsoft’s own recent history of mishandling private keys.

dist-epoch
0 replies
1d3h

It goes the other way too. An Ubuntu Update could put the Windows bootloader on the deny list.

franga2000
1 replies
12h7m

I don't understand what the expected behaviour is here? Let's say you dual-boot two copies of Arch so we don't drag M$ into this. You update one, get the latest bootloader update that increments this security generation thingy. You reboot to go update the other one as well but its number is too low, so it's unbootable. What now?

jeroenhd
0 replies
11h27m

That's why you wait a while before raising the SBAT requirements, so both of your distros can be updated. Microsoft waited two years, for instance.

elendee
1 replies
14h20m

This hit me 2 days ago as I was shuffling dual boot systems around trying to recover some old data for a client. Kind of hilarious timing tbh, right after I was done laughing arrogantly about CrowdStrike

heelix
0 replies
5h47m

Yah, I got hit by this as well. Was pulling some stuff off of windows, it updated overnight, rebooted, and I woke up to my default Ubuntu boot being horked. A bit of a WTF till I started searching for it. I'll be backing up and leaving that box as Linux + a vm.

tannhaeuser
0 replies
1d7h

Although MS' stance to block old vulnerable grub installs seems reasonable here, I've come to run Windows only for games and a single piece of legacy software (as a backup for my aging x86 Mac) without net access at all. The moment you allow Win updates, everything is up to chances. MS moving around registry keys and other shenanigans to force "telemetry" (aka ads and behavioral data scanning for ML) onto users, even on Windows Pro, should be telling enough. Needless to say, I'm running Win 10.

hypeatei
0 replies
1d5h

because otherwise they're shipping a vector that can be used to attack other operating systems and that's kind of a violation of the social contract

I see the end of the chain still ends up at "trust" in humans/companies at some level. Microsoft broke dual boot systems because they think they know what's best for someone else's system and that's not okay.

glandium
0 replies
6h42m

Fun fact. Just as this story was unfolding, I was installing a Debian system on an Acer desktop machine. The Debian installer wouldn't start with secure boot enabled because of this, but also, once I fixed up things, I couldn't get the firmware to recognize any entry added by Debian. It would hide and deactivate them on its own. I ultimately had to use a copy of the EFI partition on a USB key for it to work.

fuzzer371
0 replies
1d1h

So it's a linked list

fortran77
0 replies
4h9m

All I can think of is choral music arrangements.