Microsoft breaking a bunch of dual-boot systems by revoking insecure versions of grub during a standard Windows update is, uh, not great and was not supposed to happen, but it's worth mentioning that systems broken by this were running known insecure bootloaders and anyone running a distro that's actually on top of security updates was unaffected

(Edit to add: I wasn't terribly clear here. It's not the user's fault if their distro fails to deal with this, it's the distro's)

@mjg59 that "but" before the victim blame is carrying a lot after that "not supposed to happen"

@0x00string both of these things are bad!

@mjg59 the computers remained bootable into windows, right?

"someone who installed ubuntu or whatever alongside their windows machine and then forgot about it for 2+ years" is probably a decent sized demographic

@anime_reference yes

@mjg59 Honestly, that's not really a good excuse. It's basically never okay to break someone's systems for any reason. And at least from the Linux side, I know for a fact that several distributions struggled to get updated shims from Microsoft since that CVE, so the damage is considerably worse. For example, Fedora and CentOS Stream both didn't get an updated shim until Fedora 40, after well over a year of needing an updated shim to deal with revocations.

@Conan_Kudo It's not a good excuse! But nor is shipping insecure code!

@mjg59 come beat me up for using too old a linux kernel, literally fite me instead, don't treat my personal property inside my home like it doesnt belong to me 🤷‍♂️

@mjg59 "it sucks that a private corporation bricked your other OS cause they didnt like the linux kernel on it but hey you shouldn't have been wearing that" come on buddy come down off that fence

@0x00string Microsoft shouldn't have shipped an update that did this and also supported distros should actually fucking ship security updates

@mjg59

So you're saying that Ubuntu doesn't know what they're doing?

Ubuntu 22.04 is indeed still supported, but a fully-patched 22.04 uses a signed Grub that's blocked with Microsoft's August SBAT update.

@wdormann I've no idea how they screwed this up

@mjg59 Nor is relying on your competitor to do a good job of securing *your* systems. Nor is building a system that everyone feels powerless with these days.

I didn't enjoy having to waive fixing secure boot bugs for several releases of Fedora in a row because nobody cares at Microsoft to actually prioritize handling the signing queue.

@mjg59 @Conan_Kudo It's not insecure code. It's not on a security boundary, just a DRM boundary.

@dalias @mjg59 It doesn't matter whether it's a security boundary or a DRM boundary or whatever. What matters is that the there's some strange one-sided expectation of responsiveness when it needs to go both ways.

This happened because people don't care about making it good. At this point, I view secure boot purely as a compatibility/interoperability measure, not a security measure. It can't function as a security measure the way it works now.

@Conan_Kudo Uh. The blocker there was, to a large extent, shim not meeting the newer security requirements for signing purposes (like supporting nx properly)

@mjg59 And? It's not like Linux supported it either. Who cares? It's not important when you're going to revoke all our certificates and we can't do squat about it.

Frankly, the silly thing here is imposing a requirement that everyone knows we can't meet. If we can't meet it, it's gatekeeping.

@dalias @Conan_Kudo Weird that it happily loads a kernel that doesn't implement any DRM

@Conan_Kudo No revocations happened until that situation had been resolved

@mjg59 But it wasn't. Shim supported NX since 2022, but it's switched off by default because it's still not supported in the Linux stack fully.

That situation was never handled. We just reached the boiling point and something had to finally ship.

https://github.com/rhboot/shim/commit/be8ff7c2680fed067cdd76df0afc43138c24cc0d

@mjg59 @Conan_Kudo It's "DRM" in the sense of managing what rights you have (to run the OS you want) on your own computer.

@dalias @Conan_Kudo A right you have - either disable secure boot in the firmware or via mok and boot anything

@mjg59 @dalias Well, sometimes. I have encountered computers that don't have that ability. Some Lenovo x86 ones and some early WoA machines don't have it. I don't know about current WoA machines, but I know that it is not required to offer the ability to switch off secure boot on either x86 or aarch64.

@mjg59 @dalias Secure Boot is neither a security feature nor a DRM feature. It's a poorly implemented feature that we all have to live with as means of interoperability with Windows PCs.

(And I'm saying this as someone who used to be in favor of Secure Boot. Ten years of dealing with the flaws of the system has embittered me greatly.)

@Conan_Kudo Yeah the situation was resolved by Microsoft agreeing to relax those standards

@mjg59 They didn't communicate it. It just kind of happened. Not that I'm not glad we finally got them, but it really sucked how opaque the whole thing is.

It was just in time too, people were starting to notice they couldn't boot Fedora on new computers...

@Conan_Kudo @dalias My standing offer of "Give me the model number of a Windows logo x86 machine that has no way to disable secure boot and I will buy it, test it, and if you're right I'll donate the cost to a charity of your choice and it you're wrong you'll do the same" still applies, but also the MOK design in shim explicitly allows the user to do so even if the firmware doesn't

@Conan_Kudo @dalias The existence of malware that has to subvert secure boot in order to bootkit Windows is pretty strong evidence that it has security relevance

@Conan_Kudo I can assure you that there are lines of communication here

@mjg59 agreed on both points but still dont think anyone should be bricking ones personal property without consent even in the name of security

@0x00string I think this is a touch complicated because many users aren't in a position to provide informed consent but there is a social expectation that vendors will try to ensure their security anyway, but there should at minimum be a mechanism for people who do feel able to make those decisions to be able to make those decisions

@mjg59 bricking the bootloader for an operating system that exists outside the purview of windows is a bit of a stretch here, man. this reach is far.

@0x00string Allowing known vulnerable bootloaders to boot, even if they're from another OS, is an attack vector against Windows (or vice versa). But what was *supposed* to happen in this case was for Windows *not* to apply this update on dual-boot systems, and for the update to instead come from the Linux distros once they'd updated their bootloaders. That's clearly failed in at least some cases, and Microsoft hasn't said why yet.

@0x00string We've had Linux distros ship updates that blocked insecure old Windows bootloaders from booting, so this isn't entirely asymmetric, but it's not possible to protect the boot chain without blocking vulnerable things. And, like I said, the dual-boot case is a fuckup - this was explicitly not supposed to happen

@mjg59 fucked up for linux to do it too, literally exactly the same fucked up, soooo 🤷‍♂️

it wasnt supposed to happen! but it did!

@mjg59 just imagining someone saying that out loud to me in person as i sit in front of my bricked person property, to be told this was for someones own good and me too. lmao.

why not let microsoft carry their own water instead of making excuses in advance for them also simultaneously condescending to group that actually sustained any harm from the situation at large? wild, man. wild.

@0x00string Dude I am explicitly and clearly saying that breaking dual boot systems was not considered to be for anyone's good and was not supposed to happen and is clearly Microsoft's fault

@mjg59 And why can't any of this be transparent and public? Because at this point, I just can't take statements about the responsiveness of the secure boot stuff at face value anymore.

@0x00string What do you want to argue here? That Microsoft should never revoke known insecure bootloaders on Windows-only systems?

@Conan_Kudo Because it's frequently tied into discussions about undisclosed vulnerabilities

@mjg59 nope, im arguing that you can just say microsoft fucked up and owes a lot of people at least an apology without needing to qualify it by re-explaining over and over this or that like that microsoft revokes vulnerable boot loaders because vulnerable bootloaders are a threat to windows.

i think you and i both know quite well thats not what i want to argue, but i mean whatever man, weird route.

@0x00string Microsoft fucked up in a way that hurt real users and is going to be incredibly difficult and annoying to fix, and also distro vendors shouldn't ship known insecure code that could be used to hurt real people in a very different way

@mjg59 and truth be told, the thing i really took issue with in the first place, before we arrived here was this:

anyone running a distro that's actually on top of security updates was unaffected

thats 100% just victim blaming and it pissed me off enough to read to want to hop into your mentions and fite.

@mjg59 "and im sorry for blaming people for being the victims of this for simply running software on their own personal computers"

@0x00string I'm blaming the distros, not the users who trust them

@mjg59 okay

@0x00string Users should be able to trust that their distro vendor will provide security updates in a timely manner. When that doesn't happen, that's the distro letting those users down. I have huge sympathy for the users affected by this.

@mjg59 i believe you

@0x00string I'm sorry I wasn't clear enough on that point and have updated the original post, thank you for explaining what you meant here and apologies for responding to what I thought you meant instead

@mjg59 maybe rethink this. This kind of interference is generally considered a crime when performed by a non-business entity. So why judge Microsoft differently? Your computer, your property, your responsibility. Microsoft should offer a fix but not force it on you. This is wrong on so many levels.

@danielsreichenbach Disable Windows Update and it won't

@andre It wasn't ignored, this update wasn't intended to apply to dual-boot systems. It's a fuckup, not ignorance.

@mjg59 still not okay. It is Windows. It should not run interference on my computer. A Windows update is not expected to modify UEFI etc. even as a person in IT for 40 years... This feels like a violation.

There should at least be an option that says update my firmware.

I am not against them providing this but it should be optional and visible and clear. None of that is the case here. And if you translate this to something like a house you own, we all would call it criminal instead.

@danielsreichenbach Your firmware wasn't updated. It's a legitimate security update for Windows. What sort of information should be supplied to allow an average user to make an informed decision?

@mjg59 Linux also gives you the option to update firmware but imagine the outrage if such an update bricked Windows. Just food for thought.

@danielsreichenbach Linux distros have pushed dbx updates that prevent old Windows bootloaders from running, so, yes?

@mjg59 now that's a good question. Obviously the purpose and risks.

@danielsreichenbach How would you explain that to someone who knows nothing about computers?

@mjg59 SBAT doesn't quite work like that. It's entirely possible for a distro to patch security issues in their bootloaders but not bump the SBAT generation. I can't say for sure that it's uncommon to bump the SBAT generation number, but suffice to say the fact that GRUB appears to still at generation 3 implies it to me. (I could be wrong about GRUB still being set to generation 3, but I believe that's correct.)

Part of me thinks that this may be partially the result of using SBAT wrong and partially the result of SBAT simply being inferior to DBX for revoking insecure bootloaders. Sadly the flash chips we use simply aren't big enough for DBX to be practical for the current Secure Boot landscape, so SBAT is what we have in the Linux world.

@mjg59 You should really be more specific if this is supposed to be useful. First, monopoly "accidentally" breaking their competition is not okay. Not so long ago, people were allowed to run their own code on their computers. Suddenly marking that "insecure" is not helpful, you really should be more specific.

@pavel I very much do not feel that this is ok, but you're able to run your own code on your own computer regardless

@mjg59 @pavel I think Acquired had nice podcast about M$ where they also talked about M$ strategy to prevent people from using BeOS back then. The tactic is pretty good, seems still works. In name of security manipulating things is very easily justifiable.

@okias @mjg59 But it has to be said that in PC world situation is still better than in phone world -- at least you can turn the secure boot off, and boot FreeDOS for example... But yes, crying "security" to mess with users is common in both PC and phone worlds.

@pavel @okias Allowing someone to boot an arbitrary OS on your phone with the same level of access as your primary OS has is equivalent to letting the government dump all the private data off your phone, which is a real thing that real people care about

@mjg59 @pavel @okias While true, there are ways to allow booting arbitrary oses while having a secure boot chain and FDE. Somehow apple out of all people done it on macs where you can boot an arbitrary os, but new install need authorization with user creds from "machine owner"

@Kahanis @okias @pavel You can do that on PCs, but it involves a combination of the UEFI Secure Boot policy and TPMs and so basically everyone who complains about this refuses to use it even though it's the obvious elegant solution

@mjg59 @okias Well, booting OS from the vendor means you get the built-in spyware. (Google Play turns on GPS!). Real thing people care about, too.

@mjg59 @Kahanis @okias Some Androids do that, too, AFAICT. Yes, deleting all the data to boot self-compiled OS is reasonable solution. Unfortunately, phone vendor's don't exactly make it easy, and some make it impossible. (Nokia N9: You have to agree to this. To what? Web page does not exist. To boot own kernel you have to get keys from nokia. What keys? Page does not exist :-(. )

@mjg59 @dalias If I owned them, I'd happily just give it to you. 😃

Thankfully I don't. The only machines I have in this bucket are old HP desktops with borked firmware that silently does not save new certificates that I upload with mokmanager...

@mjg59 @dalias *For Windows*, it's a security feature for sure. But considering it part of the Linux security model is probably flawed. There is no Linux signing authority, and we do not control the trust chain like Microsoft does for Windows.

Not to mention, Windows' design is better than ours, since they do not require driver certificates to be loaded into firmware. They outclass us on user experience too. We Linux distributions are hobbled in multiple ways. 😦

@Conan_Kudo @dalias Every distro generates their own chain, and everything signed by that distro is trusted. It's identical, except for Linux distros not signing third party drivers.

@mjg59 the fact that linux secureboot is so dependent on microsoft is really sad

@kate It could be entirely independent but that would require a separate hardware ecosystem

@mjg59 I wonder if it's distros that are just too scared to upgrade their Grub on an LTS - there's always the worry about what will break.

@mjg59 @0x00string
Ah, hasn't it been the society's convention to leave the operation of devices they don't understand to people who understand them?

You know, you don't know how a plane works, that's why you have pilots.

People without a driving licence generally use cabs and public transport.

So yes, not being able to give “informed consent” should NOT be an excuse to give control to most computers on this planet to a monopoly.

@yacc143 @0x00string you're arguing that people should have to be licensed to be allowed to use computers?

@mjg59 @yacc143 ITT we all do poor jobs making our points and no one is generous in interpretation until were all pretty rustled and no one has convinced another of anything, or quite likely, even disgareed with one another in the first place

@mjg59 @0x00string
Not necessarily, but the fact is that the younger generations have an awful non-existent basic education in computer science in school.

Compare me to my kids' generation. I was literally one of the nerds in the 80s who could silently run amok around the school IT, as the laws protecting IT literally did not exist yet. OTOH, it was educational. Even if it did not involve the teacher.

The rest of the class had 6 months of non-graded C.S. :shrug:

@yacc143 I'm afraid I'm still struggling to understand your analogy. If people don't understand computers well enough to manage their security, should we prevent them using them at all or should we have someone else handle the security for them (like in the "take public public" case)?

@yacc143 @mjg59 oh my goddddddddddddddddddddddddddddddddddddddddd 😩 😩 😩 😩 😩 😩 😩 😩 😩 😩 😩 😩 😩 😩

everyone go back to their rooms in this thread

@mjg59 @0x00string
The problem is, 2 decades later, my daughter had a little more mandatory CS in school, BUT the knowledge level in practical terms when she left school is about the same. Neither the on the theoretical side (e.g. logics, state machine, number systems, all that fun we learn as the basics of CS at uni), nor on the practical side (e.g. what is safe to do, what not) these kids have literally no idea. And it's again the nerds who know at least a bit more.

@mjg59 @0x00string
So seems, I did too much educational preaching while reinstalling that evil OS that I personally don't use (thus I do not have that much issue with dual booting), so my daughter literally gave her laptop to the class nerd for a fresh installation.

Anyway, the points are twofold: education, and now handing over the keys to the kingdom to a commercial entity like Microsoft, so they can decide what you can do on your hardware is a highly stupid idea.

@yacc143 @mjg59 everyone is so long winded about this, just say "my bootloader my choice" and the next time they touch it fucking burn something down. riots work, this thread is boring, fuck the police and microsoft.

@yacc143 Education would be great, but not everyone is going to receive that education for one reason or another, so going back to your previous analogy we seem to have two choices - forbid those people from using computers, or let someone else take responsibility for their security.