With the resources they have, and these unique findings AI has helped them discover, they should now be in the ideal position to rapidly correct this deficiency in their own bootloader, so that nobody will ever need to use Grub again.
With this level of expertise, now enhanced by AI, and so much effort already behind them so far, it shouldn't take much to push this over the finish line, provided they have an effective enough organization when it comes to enhancing the security of PC users overall. After all, they don't even have to worry about addressing Macs.
I know the engineers are brilliant enough by far, and with nothing holding them back, we should be able to expect a minor revision of of the NT bootloader like this to be arriving any day now.
According to what I see in the article, this would be one of the most timely & useful security patches to show up on Windows Update, I hope they don't drop the ball on this one.
Patch Tuesday is next week but they seem so close they could probably push this critical correction out before that, so watch for it :)
That's why we got secure boot and why windows absolutely clobbers any other bootloaders during install, updates, and random points in between. It's why we have WSL.
I'll bet good money that Microsoft never even considers what you propose. It's antithetical to the mission of "lock all possible users into ad revinue streams". Microsoft won't get their windows ad impressions if they allow you to use a different OS on the hardware you own.
Are you wanting bootmgr.efi to learn how to read arbitrary Linux filesystems, bootloader configurations, and EFISTUB? Why?
Windows supports setting a one time boot using a UEFI BootNext NVRAM variable, directly boots shim.efi, doesn't involve bootmgr.efi
I mean, I replaced Grub with systemd-boot awhile back...
Gee, how clever and thoughtful.
When does Microsoft open their source for searching vulnerabilities?
The creator of SystemD recommends systemd-boot? Seems legit and unbiased.
...and what systemd-boot is? A UEFI only boot menu which gets its data from UEFI only.
I mean comparing two different things and claiming the more featured one too big is mental gymnastics to put it politely.
GRUB having vulnerabilities is not surprising, esp. when the thing is written at an age where computers were completely different things, programming and requirements wise, but insinuating that systemd-boot is the ultimate replacement is, eh, a bit underhanded. Esp. when it comes from Lennart, whose systemd is too big and encompassing for an init system.
It's the pot calling the kettle black, heh.
And btw, not that long ago it was released by researchers than more than 200 platforms from diverse but main laptops and servers manufacturers were still using leaked keys for signing their boot loaders...
Is Apple a joke because they sign the root of trust for their devices? Someone has to be the root authority. Honestly I trust MS more than I do Google or VerisignDigicert. They are the least likely to intentionally break things.
The reason MS controls the root and not Red Hat etc. is because the Linux camp spent years arguing back and forth about exactly how much they hate secure boot - like an HOA arguing over paint colors - instead of presenting solutions.
> So anyone with they certificate key can do whatever they want.
this is literally how PKI works
Somehow I think MS put a little more thought into their PKI design than whatever you're trying to convey here. What were the other options? Store it on a Yubikey sewn into rms's beard?
People are quick to dismiss secure boot simply because they refuse to understand it.
Not like there's any question.
Overwhelmingly more so than for "security" purposes.
Any lesser understanding of Microsoft SecureBoot, well, I understand.
I've seen that kind of that kind of refusal before.
No-one has to be, and it certainly doesn't need to be anyone but the owner of the machine.
Technically the web should work with self-signed certificates. But that is likewise impractical.
But in the case of secure boot, this is worse, because Microsoft is just a "software" editor. But its root certificate and probably a few random others are distributed in countless of devices produced by manufacturers unrelated to them, but also, a few number of software distributors will also have subkeys to be able to sign their os/software. All of that, with zero transparency.
And in the end, if I buy a Lenovo laptop, to have Linux OS running on it, there is no reason and no trust to have my OS be signed by Microsoft, that has the key to run whatever they want on my laptop. Think about it and you will see that it makes no sense at all, if you don't trust Microsoft for your OS, to have to trust them for ensuring a secure boot...
Then manually sign your bootloader.
This feature is available at least in my Gigabyte mainboard, but is not particularly easy to use, which is why bootloaders come pre-signed with a known root of trust. There's nothing stopping the installer from generating the root of trust on the fly, except for the default settings in many machines.
Can also preload measurements for hardware while at it so that nobody swaps a PCIe device for an evil twin.
I understand some computers may not support this as well, so YMMV.
Odd. I wonder if the article was written by AI.
Makes me trust open source operating systems more!
but if they sent the AI through all that ancient code and that's all they found it's not a good advertisement
AI is in he title, but the content is not entirely revolving around it.
Also I would not trust on the current US administration to keep deals that limit US corporations in force forever.
I have used secure boot to secure Linux systems, so it is useful for Linux users. But the danger that oligopolists will misuse it is not unreal.
Never say never, but I just don't see how the option for one to boot an alternative OS on the vast majority of commodity hardware is going to be rolled back any time in the foreseeable future.
It did on Windows RT devices.
I see the BIOS offers a boot menu -- "press F12 during boot to select boot device", it clearly says during POST. I press F12. I choose the USB Sandisk whatever pendrive where my Linux distribution is. It doesn't work -- it still boots straight into Windows. There's no error message whatsoever, it just goes into Windows.
I continue to peruse the BIOS. I find an option to wipe the internal storage. I do it. There is no Windows anymore. I plug in the pendrive and reboot the system. It doesn't work -- it goes straight into a BIOS setup page called "Recovery". It offers me to do hardware diagnostics, as if I had a broken laptop screen or something. Not once it mentions anything about there having been a secure boot failure.
What is this if not blocking people from installing Linux ? All of this used to frigging work. I would put the pendrive and it would boot Linux no questions asked. Or at worst I would need to hold some key while booting. Or in worst case situation I could use _frigging Windows itself_ to boot from a difference device on next boot (they STILL offer this). It. Used. To. Work.
At the end and by pure luck I find out that, like many other computers sold today, and as per the "recommendation" of Microsoft, this computer does not have the "Microsoft UEFI CA key" enabled by default. It is completely logical that I have to enable something about Microsoft UEFI on my BIOS to allow Linux to boot. Completely logical.
Ah, and I get a million warnings while doing that, clearly saying that "This will reduce the security of my computer". I got less warnings when I wiped the disks than when I enabled the MS UEFI CA. Seriously. Don't even think of trying to disable Secure Boot . Your will lose your data faster than if you literally sanitize your disks. Apparently.
And worst of it, the poor distributions that are "Secure Boot" compatible needed to _castrate_ themselves in order for MS to sign them. For example, Suse doesn't support friggin' _hibernation_ anymore. No more NVIDIA drivers. No more loading kernel modules. "Root" is no longer "root" if you boot with Secure Boot. Lockdown is mandatory despite the fact that Linus himself said it was a stupid dumb move to tie Lockdown to Secure Boot status. It happened anyway. That is the power of MS.
And despite the mandatory castrating, MS still goes and ALTERS THE DEAL, since now Secure Boot devices ANYWAY STILL NO LONGER BOOT LINUX DISTRIBUTIONS BY DEFAULT.
Call this whatever you want. I call it Secure Boot working as intended. And that is the problem.
Viruses that bypass the OS and work over your boot loader. They created this to solve other problems they also created. Every famous rootkit I can remember was due to sloppy coding or flat out intentional backdoors in their product (Sony).
Then they help get UEFI off the ground to essentially really broaden the attack surface they just "solved."
Pro tip: If you open like that, people won't take you seriously even if you happen to have a point.
> and all it has done is held back Linux from providing the security benefits of Secure Boot and transparent full disk encryption in an easy-to-administer
Also, we have that. In fact, I accidentally reenabled secure boot on a Linux box recently and only even noticed because it broke the nvidia driver. The closed source driver. If only I'd been more dedicated to only running FOSS then it would have worked.
And, if your distro had you enroll a MOK key and failed to bless all your kernel modules, FOSS or not, then it's still broken. That was also my experience the last time I tried, with the module(s) required to get a Coral TPU going. There existed a hook script that was supposed to do the needful but it wasn't working on that module and I couldn't make sense of it.