Ah, delete the windows partition. That should keep me safe.
The TLDR is that Microsoft released a secure boot update that blocked insecure versions of GRUB. This update was only meant to go out to Windows users since releasing it to dual booted users could break GRUB. However, it was accidentally also released to dual-booted users.
The fix involves disabling dual boot, running a command to reset secure boot, then re-enabling.
accidentally
Right.
Accidentally on purpose
How would they know if you’re dual booting or not?
By checking for entries in the EFI partition(s).
Windows is best run in a VM in Linux. Who knows what the hell it does when it’s running on bare metal. Do you trust Microsoft not to poke around in your Linux disks when you boot into Windows? I don’t.
Windows, as any operating system, is best run in a context most useful to the user and appropriate for the user’s technical level.
- Need to run Windows apps/games and aren’t afraid to tinker around if and when something doesn’t work as expected or your software simply isn’t supported? WINE/Proton.
- Need to run mostly light Windows apps and don’t want to tinker around? VM.
- Need to run Windows apps/games that don’t rely on Kernel-Level Anti-Cheat, want direct hardware access and aren’t afraid to tinker around, especially if you only have one GPU, and when something doesn’t work as expected? KVM
- Need to run any Windows app/game without things constantly breaking or the need to tinker around and staying on top of things? Dual-Boot from different disks, utilize LUKS/FDE and be done with it.
You’re missing one:
- dedicated, air-gapped Windows box used for legacy industrial software
Aside from “lightweight apps in VM” this is the only solution I use now. (Unless you count Proton, but having Steam games Just Work barely feels like a “solution” as it requires zero effort on my part)
I don’t even trust Windows to dual boot off a separate disk without trying to break something anymore.
What about running a Linux to go removable disk and just pull it when you need to boot windows?
This would work but assumes the primary use of the machine is Windows and derates your performance under Linux significantly due to USB speeds. Even if you’re storing your data on the Windows HDD, NTFS drivers are dog slow compared to EXT4 and other *nix filesystems.
Also some BIOSes are a pain to get to boot off removable drives reliably so it really depends on what your machine is.
I’ve used Linux as a primary dev system for well over a decade now, and with the current state of Windows I’d really recommend just taking the leap, keep your Windows box if you need Windows software and build a dedicated Linux workstation.
You can keep only grub on the USB so windows can’t touch it. Avoids all those issues since the main install remains on the SSD.
Personally I just boot windows from usb. Rufus has the ability to install it there
This is a pretty good idea, my wife dual boots and I’ll suggest it to her as Windows keeps trashing the EFI partition.
I actually tried it before for my TV PC that I wanted to also use as a miniserver, with gpu pass through and everything. It was painful to get it working properly, was like 30-40% slower. I also had constant problems with USB peripherals not connecting properly, or going in a sleep state and not waking. Many games didn’t work properly.
Then I decided to just buy a cheap second second hand PC and never looked back.
Well I have my Linux partition encrypted with a unique password. But I don’t dual boot anyway …
I don’t trust them in literally any manner at all.
And this is why I don’t dual boot anymore. Or run Windows anymore for that matter. Learn to play nicely with others please, Microsoft.
Same. It can’t even work correctly when I try and put it into a specific box.
The ultimate issue is a distaste for giving any corporation any control over hardware that I, alone, own.
I have been entirely M$ free for a while now with the exception of one machine which basically acts as a server at this point just hosting hard drives, a thermal label printer and the network scanning applet that my mfp talks to. Every machine I actually use is Linux and I’ve never been happier with the performance of my tech.
Simultaneously, Microsoft has been expanding their efforts so to require Windows users to upgrade to Windows 11, even those who own old machines that don’t have TPM 2.0, while those machines are prohibited to really upgrade to Windows 11, meaning that their owners would need to buy another PC/laptop. Several Windows users were using a cheat to install Windows 11 without TPM 2.0, but Microsoft has been patching it, so it’s going to be a no more. Users of Windows 10 will have two options: buy another PC or migrate to Linux. I’d bet Microsoft already knows the latter possibility. Several distros generally come with the option “dual-boot installation” as default, so there are many novel Linux users, migrating from Windows, that chose to keep Windows together with Linux (so to not lose files and configs they made on Windows). What if something broke Linux and these users that are trying to escape Windows are now forced to use Windows?
[This comment has been deleted by an automated system]
or they can keep using their old Windows 10 install without security updates.
Sure they can… It’s just a matter of clicking “Stay on Windows [old version] for now” on those ever-occurring popups (while Microsoft kindly offers this button to be clicked)
deleted by creator
Secure boot borking systems? Windows assuming it’s the only OS on the machine? I’m shocked
Shocked, I tell you!
Windows assuming it’s the only OS on the machine
That’s not the case. The update was only meant to go out to Windows users. But Microsoft messed up and accidentally released to all users, or at least some who weren’t supposed to receive it. My guess is that Microsoft usually doesn’t update secure boot stuff for dual boot users and instead waits for the distro to push the update.
The bottom line is that a windows update broke grub. Again.
deleted by creator
It’s a vulnerability that affects secure boot through grub. MS is the interested party in patching it because they’re the ones selling secure boot certifications. It doesn’t surprise me a bit if the open source community is not interested in patching secure boot holes.
deleted by creator
Newbie question: does this affect people using systemd-boot? Does anyone use systemd-boot?
deleted by creator
Yawn.
I was planning to boot into Windows on one of my craptops in order to test a fix from a chip vendor whose configuration software only runs on Windows, but I guess I’ll just … not.
Is this teaching us not to dual boot and to have separate devices?