Now that we’re a week in and most people have probably repaired their PCs from the shitty Windows Update breaking GRUB I have some question.
I have a dual boot as well and thought I was safe, as I installed my Linux Mint on an independent disk. My friend laughed and told me that won’t protect me.
I logged into Windows some days ago as I had to write a document in MS Word for university and the windows update told me it was ready with a very threatening red dot in the tray. I expected it to take control over my PC and to reboot 10 times, do some typical Windows stuff, but nothing happened.
Now I have this update waiting and I am scared my Linux will break. I know there are fixes out there, but is there a way to prevent it BEFORE it happens? Can I somehow upgrade the vulnerable GRUB version?
Thanks a lot for your help my fellow penguin fans.
the first thing is do you have secure boot on at all (various distros will have various out of the box compatibility with it on). if you dont, then you shouldnt need to worry.
Good question, I will check at next boot. Let’s assume it’s deactivated, would that be a negative thing security-wise?
If it is enabled, you would suggest disabling it?
Let’s assume it’s deactivated, would that be a negative thing security-wise?
“Secure Boot” is one of those doublethink names that doesn’t mean what what one would assume. As originally designed, it was more about keeping “Designed for Windows 8” computers “secure” on Microsoft’s behalf against their owners by preventing alternate OSs like Linux from being installed than it was for doing anything for the device owner’s benefit. In other words, it’s a locked bootloader that prevents jailbreaking.
Obviously there was a lot of pushback (and continued to be with each new Windows release) and the nightmare scenario of locking Linux out of running on new desktop PC hardware hasn’t come to pass (yet), but the normal way that Linux distros achieve “compatibility” with Secure Boot is by including a “shim” bootloader signed by Microsoft. In other words, normal desktop Linux depends on Microsoft’s goodwill to be “allowed” to run.
Although I believe it’s possible for a Linux user to use Secure Boot for their own benefit by generating and signing their own encryption keys instead of using the “shim,” I think it’s something that only the most paranoid folks actually do.
Also, somebody’s gonna say it so it might as well be me: the foolproof way of preventing Windows from breaking your Linux install is to quit booting into Windows, and to start using e.g. LibreOffice instead of MS Word to write your school documents.
the idea of secure boot is that the pc only allows verified OS with the proper key to boot. its meant to prevent attacks from rootkits (pre OS level malware that gains control during the boot process). Not everyone has it enabled. some linux distros require generating a custom boot verification key for it to work with secure boot on, hence why some linux users dont have secure boot enabled at all.
getting a rootkit isnt necessarily an easy task to do, but the idea of having it on is only so you dont have to worry about it happening. so its objectively less security, but its for a problem that is on the scale of happening, much more rare than other forms of maleare.
I honestly don’t think you can. Maybe keep good backups.
Best option would be to install Windows in a VM. Just make sure you have 16 or more GB of ram.
You probably shouldn’t dual-boot Windows at all. They’ve demonstrated that they will break other OSes that you have installed, time and time again.
However, if you absolutely have to dual boot Windows (instead of running it in a VM or something), I’ve been wondering if it might be a good idea to install your bootloader on one of those SD cards that have write-protection switches, and just leave write-protection enabled except when you update the bootloader. That might be the only way I’d feel safe with a non-VM installation of Windows living anywhere near my real OS.
Regedit windows so it can’t update. There is also a windows tool to disable Windows updates, except critical security updates, for 2 years. I can’t remember the name of the program I have and can’t be assed to figure it out, but it is out there.
Might be winaero tweaker?(See reply, Windows-Tool is the app.)That’s the one.
You could build yourself a bootloader-on-USB-thumbdrive. You could then either just decide that’s your primary bootloader and unplug it every time you boot into Windows before it gets far enough into Windows to break your bootloader or just use it as a recovery device to get back into Linux and get Linux to fix your bootloader as soon as you’ve booted it. (The former approach is more in line with your “before it happens” requirement than the latter.)
you could use Windows Boot Manager instead of grub… it’s already built in and being used every time you boot into windows anyways.