this post was submitted on 23 Aug 2024
25 points (93.1% liked)

Linux Questions

1154 readers
5 users here now

Linux questions Rules (in addition of the Lemmy.zip rules)

Tips for giving and receiving help

Any rule violations will result in disciplinary actions

founded 1 year ago
MODERATORS
 

Now that we're a week in and most people have probably repaired their PCs from the shitty Windows Update breaking GRUB I have some question.

I have a dual boot as well and thought I was safe, as I installed my Linux Mint on an independent disk. My friend laughed and told me that won't protect me.

I logged into Windows some days ago as I had to write a document in MS Word for university and the windows update told me it was ready with a very threatening red dot in the tray. I expected it to take control over my PC and to reboot 10 times, do some typical Windows stuff, but nothing happened.

Now I have this update waiting and I am scared my Linux will break. I know there are fixes out there, but is there a way to prevent it BEFORE it happens? Can I somehow upgrade the vulnerable GRUB version?

Thanks a lot for your help my fellow penguin fans.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 3 months ago* (last edited 3 months ago)

Let’s assume it’s deactivated, would that be a negative thing security-wise?

"Secure Boot" is one of those doublethink names that doesn't mean what what one would assume. As originally designed, it was more about keeping "Designed for Windows 8" computers "secure" on Microsoft's behalf against their owners by preventing alternate OSs like Linux from being installed than it was for doing anything for the device owner's benefit. In other words, it's a locked bootloader that prevents jailbreaking.

Obviously there was a lot of pushback (and continued to be with each new Windows release) and the nightmare scenario of locking Linux out of running on new desktop PC hardware hasn't come to pass (yet), but the normal way that Linux distros achieve "compatibility" with Secure Boot is by including a "shim" bootloader signed by Microsoft. In other words, normal desktop Linux depends on Microsoft's goodwill to be "allowed" to run.

Although I believe it's possible for a Linux user to use Secure Boot for their own benefit by generating and signing their own encryption keys instead of using the "shim," I think it's something that only the most paranoid folks actually do.


Also, somebody's gonna say it so it might as well be me: the foolproof way of preventing Windows from breaking your Linux install is to quit booting into Windows, and to start using e.g. LibreOffice instead of MS Word to write your school documents.