Ah, delete the windows partition. That should keep me safe.
The TLDR is that Microsoft released a secure boot update that blocked insecure versions of GRUB. This update was only meant to go out to Windows users since releasing it to dual booted users could break GRUB. However, it was accidentally also released to dual-booted users.
The fix involves disabling dual boot, running a command to reset secure boot, then re-enabling.
accidentally
Right.
Accidentally on purpose
How would they know if you’re dual booting or not?
By checking for entries in the EFI partition(s).
Windows is best run in a VM in Linux. Who knows what the hell it does when it’s running on bare metal. Do you trust Microsoft not to poke around in your Linux disks when you boot into Windows? I don’t.
Windows, as any operating system, is best run in a context most useful to the user and appropriate for the user’s technical level.
- Need to run Windows apps/games and aren’t afraid to tinker around if and when something doesn’t work as expected or your software simply isn’t supported? WINE/Proton.
- Need to run mostly light Windows apps and don’t want to tinker around? VM.
- Need to run Windows apps/games that don’t rely on Kernel-Level Anti-Cheat, want direct hardware access and aren’t afraid to tinker around, especially if you only have one GPU, and when something doesn’t work as expected? KVM
- Need to run any Windows app/game without things constantly breaking or the need to tinker around and staying on top of things? Dual-Boot from different disks, utilize LUKS/FDE and be done with it.
You’re missing one:
- dedicated, air-gapped Windows box used for legacy industrial software
Aside from “lightweight apps in VM” this is the only solution I use now. (Unless you count Proton, but having Steam games Just Work barely feels like a “solution” as it requires zero effort on my part)
I don’t even trust Windows to dual boot off a separate disk without trying to break something anymore.
What about running a Linux to go removable disk and just pull it when you need to boot windows?
This would work but assumes the primary use of the machine is Windows and derates your performance under Linux significantly due to USB speeds. Even if you’re storing your data on the Windows HDD, NTFS drivers are dog slow compared to EXT4 and other *nix filesystems.
Also some BIOSes are a pain to get to boot off removable drives reliably so it really depends on what your machine is.
I’ve used Linux as a primary dev system for well over a decade now, and with the current state of Windows I’d really recommend just taking the leap, keep your Windows box if you need Windows software and build a dedicated Linux workstation.
You can keep only grub on the USB so windows can’t touch it. Avoids all those issues since the main install remains on the SSD.
Personally I just boot windows from usb. Rufus has the ability to install it there
This is a pretty good idea, my wife dual boots and I’ll suggest it to her as Windows keeps trashing the EFI partition.
I actually tried it before for my TV PC that I wanted to also use as a miniserver, with gpu pass through and everything. It was painful to get it working properly, was like 30-40% slower. I also had constant problems with USB peripherals not connecting properly, or going in a sleep state and not waking. Many games didn’t work properly.
Then I decided to just buy a cheap second second hand PC and never looked back.
Well I have my Linux partition encrypted with a unique password. But I don’t dual boot anyway …
I don’t trust them in literally any manner at all.
And this is why I don’t dual boot anymore. Or run Windows anymore for that matter. Learn to play nicely with others please, Microsoft.
Same. It can’t even work correctly when I try and put it into a specific box.
The ultimate issue is a distaste for giving any corporation any control over hardware that I, alone, own.
I have been entirely M$ free for a while now with the exception of one machine which basically acts as a server at this point just hosting hard drives, a thermal label printer and the network scanning applet that my mfp talks to. Every machine I actually use is Linux and I’ve never been happier with the performance of my tech.
Simultaneously, Microsoft has been expanding their efforts so to require Windows users to upgrade to Windows 11, even those who own old machines that don’t have TPM 2.0, while those machines are prohibited to really upgrade to Windows 11, meaning that their owners would need to buy another PC/laptop. Several Windows users were using a cheat to install Windows 11 without TPM 2.0, but Microsoft has been patching it, so it’s going to be a no more. Users of Windows 10 will have two options: buy another PC or migrate to Linux. I’d bet Microsoft already knows the latter possibility. Several distros generally come with the option “dual-boot installation” as default, so there are many novel Linux users, migrating from Windows, that chose to keep Windows together with Linux (so to not lose files and configs they made on Windows). What if something broke Linux and these users that are trying to escape Windows are now forced to use Windows?
Linux distros could’ve prevented this problem by fixing their vulnerable signature when the security flaw was found two years ago. All they needed to do was regenerate the SBAT when the security update came in, but as far as I can tell the broken systems just patched the code (allowing anyone to still exploit it by replacing the Grub executable with a broken version). This is hardly a Microsoft conspiracy. Microsoft gave Linux users two years more than they gave Windows users (and, more importantly, system administrators) when they had a vulnerability like this last year.
Windows users aren’t going to switch to Linux, they use Windows because they want Windows. If they don’t want to make it easy to get infected, they can buy critical security updates beyond the 10 years of standard support Microsoft provided Windows 10 with (the ESU program) or they can keep using their old Windows 10 install without security updates.
Realistically, as long as Google maintains Chrome for Windows 10 (so all those Chrome derived browsers still receive updates), most people are going to be fine when it comes to viruses. The 4% using Firefox may receive even more support through the ESR programme.
I’d expect Microsoft to care more about ChromeOS Flex than they do about Linux on the desktop. Would be nice if Linux would become usable enough for normal people, but it’s still a pretty rough experience if you don’t have a Linux expert around. Maybe one day!
or they can keep using their old Windows 10 install without security updates.
Sure they can… It’s just a matter of clicking “Stay on Windows [old version] for now” on those ever-occurring popups (while Microsoft kindly offers this button to be clicked)
Haven’t seen any of those myself. I don’t think they appear if your PC isn’t compatible.
Secure boot borking systems? Windows assuming it’s the only OS on the machine? I’m shocked
Shocked, I tell you!
Windows assuming it’s the only OS on the machine
That’s not the case. The update was only meant to go out to Windows users. But Microsoft messed up and accidentally released to all users, or at least some who weren’t supposed to receive it. My guess is that Microsoft usually doesn’t update secure boot stuff for dual boot users and instead waits for the distro to push the update.
The bottom line is that a windows update broke grub. Again.
Bottom line is that Linux distros never really bothered to apply a real fix for a security vulnerability and decided to muck on with a quick patch and a lot of hope. This wouldn’t have been an issue if distros fixed their boot configuration two years ago when the problem became publicly known.
It’s a vulnerability that affects secure boot through grub. MS is the interested party in patching it because they’re the ones selling secure boot certifications. It doesn’t surprise me a bit if the open source community is not interested in patching secure boot holes.
They’re not selling anything, they’ve signed the shim loader in collaboration with the Linux community, which then takes control. The shim (the part printing the error message everyone is reporting) didn’t get an update, nor a new signature, because it didn’t need one. It was designed so that distros can compile and run Grub without having to go through the certification process.
Grub was patched two years ago to not execute code at ring 0 when a funky font file gets placed on the boot drive. If you don’t care about that, just disable secure boot entirely and the message goes away.
I was planning to boot into Windows on one of my craptops in order to test a fix from a chip vendor whose configuration software only runs on Windows, but I guess I’ll just … not.
Newbie question: does this affect people using systemd-boot? Does anyone use systemd-boot?
Nobody smart…
Yawn.
Is this teaching us not to dual boot and to have separate devices?
