So they were trying to patch systems that use GRUB for Windows-only installs? What a load of BS. Why would anybody install GRUB to boot only Windows with that? Or am I overlooking something?
Furthermore, if GRUB has a security issue, they should’ve contributed a patch at the source instead of patching it themselves somehow.
I’m a bit stunned at the audacity of touching unmounted filesystems in an OS patch. Good thing Windows still doesn’t include EXT4 and BTRFS drivers because they might start messing with unencrypted Linux system drives at this rate
They updated the system key store to invalidate known vulnerable boot configurations. One of those configurations was old versions of Grub, which had a pre-boot exploit a couple of years ago.
The issue has already been patched for years, but it appears some Linux distros never bothered to update their system configuration. Not sure if this is a shortcoming of Grub or one of the distro maintainers that were affected, though.
In fact, Microsoft tried to not apply this patch on dual boot systems, leaving them vulnerable but working, but clearly their detection failed. I think their detection required chainloading the Windows bootloader or something?
Either way, the only Linux file that Windows will ever touch with updates is the “fallback for when the boot configuration is completely fucked” bootloader, which both Linux and Windows overwrite after installation, incase the boot configuration gets completely fucked. If you’re relying on that bootloader, you were always going to get fucked by some update eventually; either your installation failed or your motherboard is broken.
What is that latter fallback called? I set up my boot manually using an EFI stub last time I installed arch but wasn’t aware of any fallback bootloader
I don’t know what systemd-boot does, but the normal way to install a bootloader is to copy an efi file to the right folder (/EFI/archlinux/grubx64.efi or whatever) and register the bootloader in the boot configuration store. This allows you to pick the OS from a list by hitting the boot menu key for your device (f8/f12 usually I think?) rather than having to rely on something like systemd-boot or Grub to list all of your operating systems. This way, you can also boot UKIs and other Linux kernels compiled to simple EFI files, without ever even touching an independent bootloader.
As a fallback, both Windows and some Linux bootloaders copy their files to the /EFI/Boot/bootx64.efi directory. This makes the drive bootable in cases where the boot configuration store is broken, or if the drive wasn’t hooked up to the same motherboard when the installation was done. This is particularly important for installer drives, because you don’t want to add a boot entry to your motherboard for every installer you plug in.
The downside of this fallback file is that it’s just one single file in a preset directory, like the MBR of old. Some motherboards come with a file browser to select the EFI application you want to boot, but many will just give you a boot menu and nothing more. Because it’s a single file, that bootloader can either be Windows or it can be Linux. This isn’t a problem normally, but on broken motherboards this can render a system Windows-bootloader only or Linux-bootloader only. You can add both Linux and Windows to either, but the file being booted it always the last one that got updated.
There’s also a weird edge case for when you install Linux on a GPT disk from CSM mode, where the GPT disk will have an MBR. That makes the Linux system incapable of using any UEFI features and it has the same problem: if Windows puts its bootloader there, the drive will boot Windows.
As for bootloaders themselves, you generally only install one (though there’s nothing preventing you from installing both and having both be bootable, because they’re just entries in the UEFI menu!). If you want, you can install bootable Linux kernels as well, without any bootloader, though those don’t let you pick your boot options.
Thanks for the detailed explanation, makes a lot of sense! I guess what I did was set up a UEFI entry that specifies the location of the Linux kernel without any intermediate bootloader. Pretty sure I didn’t set the fallback, so I’m guessing that’s still owned by windows.
Yes, I think you did. In that case, I don’t think Linux will claim the fallback loader entry. Windows doesn’t always copy its files there, so the file may not even exist. If that’s the case, you’ll only ever encounter the fallback paths on an installer/recovery disk.
I agree they should have sent a patch to the grub source, but keep in mind big software companies like microsoft, Verizon, … do not normally allow their product teams to send a patch or PR to open source projects. This is because in their contract it states that all code written on and during company times is owned by the company. This means that it is impossible for them to make a patch or PR because it would conflict with the projects licence and fact its open source.
This changes when the team explicitly works on the foss product/project like the ms wsl team or the team working on linux supporting azure hardware, but that is an exception. I do not believe the microsoft kernel/bootloader team is allowed to send patches to grub.
Its a terrible thing, and it shouldnt be, but thats the fact of the world atm.
This means that it is impossible for them to make a patch or PR because it would conflict with the projects licence and fact its open source.
That’s not how it works. It just means the company owns the code for all intents and purposes, which also means that if they tell you that you can release it under a FOSS license / contribute to someone else’s project, you can absolutely do that (they effectively grant you the license to use “their” code that you wrote under a FOSS license somewhere else).
And not every team is allowed to do that.
Also, youre telling somebody who has worked with big companies not allowing it in their employer contract that he is lying? Riiiight…
A lot of google devs also are not allowed to do any linux work outside of work without explicit permissions because of all the internal docs, teams and other work being done on linux from within google. Development rights is an absolute mess, legally.
I usually dont care and do what is right, despite what my emploter contract says, but i have gotten in trouble for it
do not allow software developers to send a patch or PR to open source projects.
But this sentence in particular was misleading. Maybe you specifically did not have the right to do so, but in the Linux and BSD codebases there are a lot of @microsoft @netflix @oracle contributions, so at least there is someone in those companies authorized to do so
There are teams that are allowed, and within those companies are teams that are directly related to foss projects because those companies are in the foundation or supports of the foundation. However, thats doesnt mean every (product) team in the company is allowed to or that they can do or change whatever they like. Its a complex mess
They can forbid you to work on opensource stuff while being in free time? I mean, I understand that you are not allowed to generate open code that utilises private know how of the company you work for. But not working on Linux in free time seems very strange to me 😮
Yeah if you write proprietary code and then work on a similar project in your spare time, your company might sue you because you’re likely reusing code you’ve seen or written at work.
For example Windows developers are forbidden from working on ReactOS
Thats just dual booting. That wont work with the law if the contract says anything created using company hardware is theirs.
And yes, some companies need to give you a green light to work on projects in your free time, because they might have a team doing similar things somewhere, it might compete in something they would like to do in the future or like you said, might use company know how which is a huge nono.
Its bs imo, but those clauses and rules are found in some employment agreements.
Remember, always read your employment agreements!
Yes, but not all devs within microsoft are allowed to work on non-ms foss projects. I assume wsl devs are allowed to send stuff to linux but visual studio devs probably are not.
The wrote and released VS Code - a completely opensource development environment. If they wanted to patch Grub I bet they could have found the permissions internally to do that. Microsoft is a lot more open to OSS contributions then they were in the past.
Not saying youre wrong, but you took the wrong project as an example hehe.
Visual code is not open source. Its core is, but visual code isnt.
The difference is what visual code ships with, on top of its core.
Its like saying chrome == chromium ( it isnt ).
Visual code comes with a lot of features, addins and other stuff that isnt in the core.
.net debugger for example, is not found in vscodium ( build of the vscode core ). And there is more stuff i cant think of now but have come across.
Source: been using vscodium for a few months instead of vscode
I know, hence why i said youre not wrong but the example was wrong :p
Also, its more complex than that. Some teams can, some cant. And if they can it all depends on what project or context. The business world isnt that cut and dry hehe
this changes nothing: microsoft should have sent a patch remains microsoft should have sent a patch; internal policies are irrelevant to actions effecting external projects
So they were trying to patch systems that use GRUB for Windows-only installs? What a load of BS. Why would anybody install GRUB to boot only Windows with that? Or am I overlooking something?
Furthermore, if GRUB has a security issue, they should’ve contributed a patch at the source instead of patching it themselves somehow. I’m a bit stunned at the audacity of touching unmounted filesystems in an OS patch. Good thing Windows still doesn’t include EXT4 and BTRFS drivers because they might start messing with unencrypted Linux system drives at this rate
They updated the system key store to invalidate known vulnerable boot configurations. One of those configurations was old versions of Grub, which had a pre-boot exploit a couple of years ago.
The issue has already been patched for years, but it appears some Linux distros never bothered to update their system configuration. Not sure if this is a shortcoming of Grub or one of the distro maintainers that were affected, though.
In fact, Microsoft tried to not apply this patch on dual boot systems, leaving them vulnerable but working, but clearly their detection failed. I think their detection required chainloading the Windows bootloader or something?
Either way, the only Linux file that Windows will ever touch with updates is the “fallback for when the boot configuration is completely fucked” bootloader, which both Linux and Windows overwrite after installation, incase the boot configuration gets completely fucked. If you’re relying on that bootloader, you were always going to get fucked by some update eventually; either your installation failed or your motherboard is broken.
What is that latter fallback called? I set up my boot manually using an EFI stub last time I installed arch but wasn’t aware of any fallback bootloader
I don’t know what systemd-boot does, but the normal way to install a bootloader is to copy an efi file to the right folder (/EFI/archlinux/grubx64.efi or whatever) and register the bootloader in the boot configuration store. This allows you to pick the OS from a list by hitting the boot menu key for your device (f8/f12 usually I think?) rather than having to rely on something like systemd-boot or Grub to list all of your operating systems. This way, you can also boot UKIs and other Linux kernels compiled to simple EFI files, without ever even touching an independent bootloader.
As a fallback, both Windows and some Linux bootloaders copy their files to the /EFI/Boot/bootx64.efi directory. This makes the drive bootable in cases where the boot configuration store is broken, or if the drive wasn’t hooked up to the same motherboard when the installation was done. This is particularly important for installer drives, because you don’t want to add a boot entry to your motherboard for every installer you plug in.
The downside of this fallback file is that it’s just one single file in a preset directory, like the MBR of old. Some motherboards come with a file browser to select the EFI application you want to boot, but many will just give you a boot menu and nothing more. Because it’s a single file, that bootloader can either be Windows or it can be Linux. This isn’t a problem normally, but on broken motherboards this can render a system Windows-bootloader only or Linux-bootloader only. You can add both Linux and Windows to either, but the file being booted it always the last one that got updated.
There’s also a weird edge case for when you install Linux on a GPT disk from CSM mode, where the GPT disk will have an MBR. That makes the Linux system incapable of using any UEFI features and it has the same problem: if Windows puts its bootloader there, the drive will boot Windows.
As for bootloaders themselves, you generally only install one (though there’s nothing preventing you from installing both and having both be bootable, because they’re just entries in the UEFI menu!). If you want, you can install bootable Linux kernels as well, without any bootloader, though those don’t let you pick your boot options.
Thanks for the detailed explanation, makes a lot of sense! I guess what I did was set up a UEFI entry that specifies the location of the Linux kernel without any intermediate bootloader. Pretty sure I didn’t set the fallback, so I’m guessing that’s still owned by windows.
Yes, I think you did. In that case, I don’t think Linux will claim the fallback loader entry. Windows doesn’t always copy its files there, so the file may not even exist. If that’s the case, you’ll only ever encounter the fallback paths on an installer/recovery disk.
In the mind of Microsoft, Windows is the only OS and all things on computers exist to facilitate Windows.
lol they fuck with my BIOS boot settings to the point i had to password it. they are that bad.
Grub has already been patched, that doesn’t mean distributions shipped it. SBAT broke systems that hadn’t been updated.
I agree they should have sent a patch to the grub source, but keep in mind big software companies like microsoft, Verizon, … do not normally allow their product teams to send a patch or PR to open source projects. This is because in their contract it states that all code written on and during company times is owned by the company. This means that it is impossible for them to make a patch or PR because it would conflict with the projects licence and fact its open source.
This changes when the team explicitly works on the foss product/project like the ms wsl team or the team working on linux supporting azure hardware, but that is an exception. I do not believe the microsoft kernel/bootloader team is allowed to send patches to grub.
Its a terrible thing, and it shouldnt be, but thats the fact of the world atm.
That’s not how it works. It just means the company owns the code for all intents and purposes, which also means that if they tell you that you can release it under a FOSS license / contribute to someone else’s project, you can absolutely do that (they effectively grant you the license to use “their” code that you wrote under a FOSS license somewhere else).
Not true. A lot of commonly known closed source companies contribute to open source software, including Linux and BSD
And not every team is allowed to do that.
Also, youre telling somebody who has worked with big companies not allowing it in their employer contract that he is lying? Riiiight…
A lot of google devs also are not allowed to do any linux work outside of work without explicit permissions because of all the internal docs, teams and other work being done on linux from within google. Development rights is an absolute mess, legally.
I usually dont care and do what is right, despite what my emploter contract says, but i have gotten in trouble for it
I’m not saying you’re lying, but you said
But this sentence in particular was misleading. Maybe you specifically did not have the right to do so, but in the Linux and BSD codebases there are a lot of @microsoft @netflix @oracle contributions, so at least there is someone in those companies authorized to do so
Fair, and ill edit my post accordingly!
There are teams that are allowed, and within those companies are teams that are directly related to foss projects because those companies are in the foundation or supports of the foundation. However, thats doesnt mean every (product) team in the company is allowed to or that they can do or change whatever they like. Its a complex mess
Thank you for have brought us your experience!
They can forbid you to work on opensource stuff while being in free time? I mean, I understand that you are not allowed to generate open code that utilises private know how of the company you work for. But not working on Linux in free time seems very strange to me 😮
Edit: deleted wrong “Edit:”
Yeah if you write proprietary code and then work on a similar project in your spare time, your company might sue you because you’re likely reusing code you’ve seen or written at work.
For example Windows developers are forbidden from working on ReactOS
Thats just dual booting. That wont work with the law if the contract says anything created using company hardware is theirs.
And yes, some companies need to give you a green light to work on projects in your free time, because they might have a team doing similar things somewhere, it might compete in something they would like to do in the future or like you said, might use company know how which is a huge nono. Its bs imo, but those clauses and rules are found in some employment agreements.
Remember, always read your employment agreements!
😂 edited the wrong post, lol
What? Microsoft have written and released and contributed to many open source projects - they created vscode for one. They are even one of the top contributors to the Linux kernel.
Yes, but not all devs within microsoft are allowed to work on non-ms foss projects. I assume wsl devs are allowed to send stuff to linux but visual studio devs probably are not.
The wrote and released VS Code - a completely opensource development environment. If they wanted to patch Grub I bet they could have found the permissions internally to do that. Microsoft is a lot more open to OSS contributions then they were in the past.
Not saying youre wrong, but you took the wrong project as an example hehe.
Visual code is not open source. Its core is, but visual code isnt. The difference is what visual code ships with, on top of its core.
Its like saying chrome == chromium ( it isnt ).
Visual code comes with a lot of features, addins and other stuff that isnt in the core.
.net debugger for example, is not found in vscodium ( build of the vscode core ). And there is more stuff i cant think of now but have come across. Source: been using vscodium for a few months instead of vscode
Sure, my bad. But it does not change my point. They have released stuff as opensource even if not all of it. Which means they can if they want to.
I know, hence why i said youre not wrong but the example was wrong :p
Also, its more complex than that. Some teams can, some cant. And if they can it all depends on what project or context. The business world isnt that cut and dry hehe
this changes nothing: microsoft should have sent a patch remains microsoft should have sent a patch; internal policies are irrelevant to actions effecting external projects