this post was submitted on 09 Dec 2025
62 points (91.9% liked)

Linux

60166 readers
490 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
62
Grub and the Microsoft Ransomware (lemmy.ml)
submitted 4 days ago by Moonrise2473@lemmy.ml to c/linux@lemmy.ml
57 comments fedilink hide all child comments
 

TL;DR: bitlocker does not like grub

Full story:

Months ago I installed fedora on my desktop, dual booting Windows 11.

In all this time I never had the need to boot into windows. I remembered that it worked fine after install, good, and then I forgot about that.

Today I needed a specific windows only software, so at grub I chose the microsoft bootloader and... BITLOCKER.

Huh? Bitlocker? Me? What? Searched frantically for that decryption password in my keepass, did not find. What?? How???

After a few minutes staring at that screen I thought, ok let's just wipe that shit and reclaim the space. I went back to linux, opened the partition manager, then remembered that i had something important in single copy over there. Noooooo

Went back to the boot screen to try again, still failed password.

Then I notice the error:

e_fve_pcr_mismatch

that mismatch lets me think that maybe I had something wrong in my booting.

I try to put windows first in the bios and it works! WHAT THE...?!??

So, if i put linux first, then launch windows from grub, bitlocker takes the windows partition under ransom, i can only access if windows is first. And of course in windows 11 x64 is no longer possible add linux partitions in their boot manager (previously it was possible)

Incompetence or maliciousness?

you are viewing a single comment's thread
view the rest of the comments
[–] Buffalox@lemmy.world 18 points 4 days ago* (last edited 4 days ago) (2 children)

Microsoft secure boot is 100% made to be a pain in the ass for Linux users. It doesn't add any security, but is instead a huge added unnecessary risk factor for data loss for users.

[–] 9point6@lemmy.world 13 points 4 days ago (1 children)

It technically does add security in that it prevents a load of attack vectors that would dodge most anti malware tools (i.e. the ones before the anti malware tool can start)

But you're right in that the execution of the idea is unnecessarily painful for Linux

[–] Buffalox@lemmy.world 3 points 4 days ago (1 children)

OK so when did you hear of an actual successful attack that could have been avoided if the user had used secure boot?

[–] 9point6@lemmy.world 10 points 4 days ago* (last edited 4 days ago) (1 children)

Well boot sector viruses used to be all the rage in the 90s, they're entirely impossible under secure boot

Malware rootkits were a pretty big problem about a decade ago, I understand the techniques those mostly used are more or less impossible under secure boot now too

Then we could go into all the government and adjacent industry use cases where state-sponsored targeted attacks are a real concern. Measures like filling USB ports with super glue and desoldering microphones on company laptops is not unheard of in those circles, so blocking unknown bootloaders from executing is an absolute no brainer.

Saying it provides no security is just not true. Your front door isn't only secure if someone has failed to break in

[–] non_burglar@lemmy.world 5 points 4 days ago (2 children)

Secure Boot keys are considered compromised.

https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

If you are recommending secure boot as a security measure, you should stop doing so.

[–] 9point6@lemmy.world 7 points 4 days ago (1 children)

I'm not recommending it, I'm describing why saying it adds no security is silly.

The keys being compromised on some motherboards doesn't mean the whole concept is suddenly inert for every single user

If everyone has a copy of my passwords and authenticator keys, that wouldn't suddenly make 2 factor auth a compromised idea.

Hell, even if you are one of those people running a machine with the compromised keys, it's still going to block malware that was written before the keys were leaked unless malware authors have also figured out time travel.

[–] non_burglar@lemmy.world 1 points 4 days ago

If everyone has a copy of my passwords and authenticator keys, that wouldn't suddenly make 2 factor auth a compromised idea.

Not sure how this relates. If you're saying it was a good idea at the outset, then sure.... If the keys hadn't almost all been leaked by AMI and Phoenix. MS was supposed to have created a Microsoft Certified hardware vendor program for this, which fell apart pretty quickly.

Secure Boot is a joke, both practically (there are many, many tools in use to bypass it) and in my professional circles, it is considered obsolete like WEP. My audit controls for Secure Boot demand that an endpoint management solution like InTune is deployed.

You don't have to take my word for it, obviously. I'm not trying to tell you how to live your life.

[–] erebion@news.erebion.eu 3 points 3 days ago (1 children)

That's just FUD. "Secure Boot keys are considered compromised."...

some are... some

Doesn't mean it's better to turn off all security measures and live without them.

That's like saying a lightbulb stopped working, so now you live without electricity. :)

[–] non_burglar@lemmy.world 0 points 3 days ago (1 children)

The idea itself is fine (not getting into how not cool it is that a vendor holds the key to your bitlocker-encrypted disk once secure boot is turned on).

But so is WEP for WiFi, but no one uses that anymore because it's considered compromised.

some are

65% of all TPM keys is "some", I suppose. But that's not the issue. Keys leak, it happens. The more troubling part is that Microsoft will cheerfully use the leaked key on your affected TPM and you'll get the "safe" check mark in your next audit.

And this was warned about in 2011 when it started rolling out.

As for FUD, I don't have a "fear" angle here. I can't tell you how to live your life, use secure boot if you feel safe doing so.

[–] pulsewidth@lemmy.world 2 points 3 days ago

WEP is insecure - that's why it's not used anymore.

Quite different to a secure protocol that has had some manufacturers leak keys due to poor security practices.

[–] wildbus8979@sh.itjust.works 8 points 4 days ago* (last edited 4 days ago) (1 children)

I don't know which distro you're using, but in Fedora and Debian it's pretty easy to install the signed version of grub and the signed shime and get full secure boot in Linux. No setup needed.

[–] Buffalox@lemmy.world 2 points 3 days ago (1 children)

Only as long as Microsoft allow it, and only because a lot of work was put into that shit. The first couple of years it was very flaky.

[–] SteveTech@aussie.zone 4 points 3 days ago (1 children)

It's easy enough to add your own secure boot keys, you can even remove the Microsoft keys so that only your OS will boot.

[–] Buffalox@lemmy.world 1 points 3 days ago

OK that's new to me, I have to admit I haven't been looking at it for years, I do not feel comfortable following Microsoft specifications, as Microsoft has a long h9istory of fucking things up for others on purpose, and their safety record is probably among the worst in the industry.