Follow up to: “Something has gone seriously wrong,” dual-boot systems warn after Microsoft update

SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we’ve seen real world examples of malware wanting to do that (Black Lotus did so using a vulnerability in the Windows bootloader, but a vulnerability in grub would be just as viable for this). Viewed purely from a security perspective, this was a legitimate thing to want to do.

The problem we’ve ended up in is that several Linux distributions had not shipped versions of grub with a newer security generation, and so those versions of grub are assumed to be insecure (it’s worth noting that grub is signed by individual distributions, not Microsoft, so there’s no externally introduced lag here). Microsoft’s stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself. Unfortunately, as is now obvious, that didn’t work as intended and at least some dual-boot setups applied the update and that distribution’s Shim refused to boot that distribution’s grub.

The outcome is that some people can’t boot their systems. I think there’s plenty of blame here. Microsoft should have done more testing to ensure that dual-boot setups could be identified accurately. But also distributions shipping signed bootloaders should make sure that they’re updating those and updating the security generation to match, because otherwise they’re shipping a vector that can be used to attack other operating systems and that’s kind of a violation of the social contract around all of this.

  • prole
    link
    fedilink
    arrow-up
    71
    ·
    edit-2
    3 months ago

    So they claimed it wasn’t supposed to affect dual boots, yet it was specifically to patch a vulnerability in GRUB, something a Windows-only user has no reason of ever using (that I’m aware of)?

    So how could this have affected anyone but people who dual boot? Sketchy.

    • ReveredOxygen@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      15
      ·
      3 months ago

      I believe the idea is that even if the machine is running Windows, an attacker could just boot an affected grub version from a USB to perform the exploit

      • prole
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        I don’t dual boot so I had no reason to read the article carefully.

        • okamiueru@lemmy.world
          link
          fedilink
          arrow-up
          6
          ·
          3 months ago

          But then again, you did comment on what the article was about. Which would make it relevant to know what the article was about.

          • prole
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            3 months ago

            And I do, generally. But like I said, I did not read it carefully because I had no reason to.

            So if they addressed what I said, I didn’t read that part. 🤷🏻