Follow up to: “Something has gone seriously wrong,” dual-boot systems warn after Microsoft update

SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we’ve seen real world examples of malware wanting to do that (Black Lotus did so using a vulnerability in the Windows bootloader, but a vulnerability in grub would be just as viable for this). Viewed purely from a security perspective, this was a legitimate thing to want to do.

The problem we’ve ended up in is that several Linux distributions had not shipped versions of grub with a newer security generation, and so those versions of grub are assumed to be insecure (it’s worth noting that grub is signed by individual distributions, not Microsoft, so there’s no externally introduced lag here). Microsoft’s stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself. Unfortunately, as is now obvious, that didn’t work as intended and at least some dual-boot setups applied the update and that distribution’s Shim refused to boot that distribution’s grub.

The outcome is that some people can’t boot their systems. I think there’s plenty of blame here. Microsoft should have done more testing to ensure that dual-boot setups could be identified accurately. But also distributions shipping signed bootloaders should make sure that they’re updating those and updating the security generation to match, because otherwise they’re shipping a vector that can be used to attack other operating systems and that’s kind of a violation of the social contract around all of this.

  • Kongar@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    3
    ·
    3 months ago

    I have secure boot and tpm disabled on my rig. I’ve been called a fool for this. But I don’t understand how it works, and this is an example.

    If I was smart enough to code a new OS or a new boot loader (which I’m not) - how does it become different than a virus? Who approves my code is “safe” to run?

    Clearly in this case Microsoft said “those versions of grub are not safe.” So what does that mean? I’m not allowed to run them now because Microsoft decided? That’s all it takes? The whole “what’s safe to run” thing baffles me.

    Am I supposed to believe that a govt agency like the nsa could NEVER put malicious backdoors into Microsoft’s products, that Microsoft would NEVER allow that to happen, and that code would NEVER be flagged as safe?

    I get it…. It helps with obvious viruses and whatnot. But in my experience, all secure boot has ever done for me is cause problems and lock me out of my computer.

    • Laser
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      3 months ago

      Microsoft, by default, decides which code is safe to run, yes.

      However, that’s not the only way to use Secure Boot; I enroll my own certificates in addition to Microsoft’s, allowing code that I sign to be booted into. This requires some UEFI setup once.

      For most machines, Secure Boot should never lock you out completely; you can always disable it, fix your boot chain and reenable.

      I think it’s actually sensible technology, but as every security feature, it usually comes at the cost of some convenience.

      • Trainguyrom@reddthat.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        However, that’s not the only way to use Secure Boot; I enroll my own certificates in addition to Microsoft’s, allowing code that I sign to be booted into. This requires some UEFI setup once.

        Do you by chance have a guide or documentation you followed to do this that you could link?

      • TurboWafflz@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        What is secure boot even going to protect the average user against though? Is there really any chance of a normal user trying to boot something malicious?

        • Max-P@lemmy.max-p.me
          link
          fedilink
          arrow-up
          3
          ·
          3 months ago

          It’s to protect the user against malware that would insert itself in the boot chain and run at higher privilege than the kernel. Just booting a malicious ISO can insert malware in the boot chain without your knowledge. Once you’re in the boot chain, you boot before the kernel, so you can inject whatever drivers you want.

          That’s particularly important on corporate computers where they don’t want users to bypass IT policies, but also important for the average Windows user that won’t stop loading malware on their computers. Without secure boot there’s nothing stopping you from forcing yourself local admin privileges or even silently exfiltrate data.

          That’s been a thing forever: DOS boot sector malware for example. By only booting signed bootloaders and kernels, you can ensure this doesn’t happen.

          I have a friend that abused an insufficiently locked down GRUB to root his workstation at work by using the init=/bin/sh trick to patch a SUID binary to make his own sudo.

          • TurboWafflz@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            3 months ago

            But what average user is booting anything other than their hard disk ever in the past like decade? It just seems like an odd attack vector to put so much effort into stopping on consumer devices, it makes sense for businesses though