Patch Tuesday not Done ’til LINUX Won’t Run?
“Something has gone seriously wrong.” You can say that again, Microsoft.
Many dual-boot Linux PCs have been failing—and it’s Microsoft’s fault. The problem is caused by an errant Secure Boot bugfix in last week’s Patch Tuesday security rollup.
But, as we revealed last month, Secure Boot is basically broken, anyway. In today’s SB Blogwatch, we might as well turn it off.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Waymo chaos.
Redmond Reboot Redux
What’s the craic? Sergiu Gatlan reports: Windows updates break dual boot on some Linux systems
“Microsoft has yet to acknowledge”
Following this month’s Patch Tuesday, the August 2024 Windows updates are breaking dual boot on Linux systems. [It] is caused by Microsoft’s decision to apply a Secure Boot Advanced Targeting (SBAT) update to block Linux boot loaders unpatched against the CVE-2022-2601 GRUB2 Secure Boot bypass vulnerability.
…
While Redmond says that the SBAT update that blocks vulnerable UEFI shim bootloaders should not impact dual-boot systems in any way, many Linux users say that their systems … no longer boot, [with] “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
…
The only apparent way to revive the device is to disable Secure Boot, install the latest version of their favorite Linux distro, and re-enable Secure Boot. Microsoft has yet to acknowledge [the issue].
How did that happen? Sean Endicott explains: Microsoft breaks dual-boot Windows and Linux PCs
“Microsoft security”
The update was not supposed to ship to dual-boot systems, but it was sent out to them, seemingly by accident. … As the saying goes, two is better than one. … Dual booting Windows and Linux is relatively common, but, … due to a mistake by Microsoft, dual-boot systems are unable to boot.
…
“The SBAT value is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems. … You might find that older Linux distribution ISOs will not boot. If this occurs, work with your Linux vendor to get an update,” … said a Microsoft security bulletin.
Huh? TimeWinder parses that for us:
Microsoft said it wouldn’t install on dual-boot systems. Once it’s installed, they’re no longer dual boot systems, right? So they were telling the truth!
People still dual boot? prowler1 “committed to the switch a few years back:”
I ran dual boot for years, mainly for Games and Office. With the advent of Open Office being good enough and Steam providing Proton, my Windows install basically stopped being used about 4 years ago. Ironically, it was broken by a Windows update about 3 years ago and I never bothered to fix it. This year I built a new machine and requiring a Windows boot option was not even considered.
Secure Boot considered harmful? u/UnordinaryAmerican thinks so:
I know SecureBoot to have 2 main theoretical benefits:
1. Only allow bootloaders signed by the specified vendors or administrators to boot.
2. “Report” the next step of the boot process with the TPM before handing it off.
…
With those two (theoretical) benefits, combined with full disk encryption, a physical attacker’s access is severely restricted. [But] in practice, it’s a bit of a mess: … TPM communication is insecure and open to many attacks. … Windows Updates make it near-useless … and makes the TPM unhappy often. … If the system trusts Microsoft’s keys, it’s little better than unsecured boot.
…
It’d be nice if the implementation was as nice as the theory.
Sounds pretty pointless. b1k3rdude isn’t surprised:
How is this a surprise to anyone? Secure Boot is anything but, and unless you’re in an enterprise environment, pointless.
And neither is Akdor 1154:
It’s unclear to me why Microsoft tried to patch it at all, ever – GRUB is not part of Windows and nothing to do with Microsoft. Why is Windows trying to patch the bootloader of an operating system it knows nothing about?
It’s not surprising this blew up in everyone’s face.
Is this even Microsoft’s fault? Yes, says arglebargle_xiv:
Oh it’s definitely a Microsoft issue, the error message, “Something has gone seriously wrong,” tells you that immediately. If it was anything to do with Linux it’d actually tell you what the problem was, and possibly even how to fix it, or at least give you a diagnostic message to Google.
…
Since it’s Microsoft, all you get is, “Something went wrong.” Well, no **** Sherlock—you think the fact that it isn’t working hasn’t already told me that?
Meanwhile, redleader stays on target: [You’re fired—Ed.]
The intern responsible for Windows Update is going to get a stern talking to.
And Finally:
Before everyone started using switches, this was how Ethernet worked
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Nathan Dumlao (via Unsplash; leveled and cropped)