Hacker Remix

Microsoft reports several bootloader vulnerabilities

85 points by hacknslack 4 days ago | 53 comments

usr1106 17 hours ago

That grub has security vulnerabities does not surprise me, it's just too big. That's why Lennart recommends systemd-boot. (Incidently a Microsoft employee, but I have no information that he would have been involved in these discoveries.) U-boot again is typical embedded software, a field generally known more for hacks than strict programming practices. So I cannot say I would be shocked. That said, I would be surprised if systemd-boot or Microsoft's loader had zero vulnerabilities hiding somewhere.

When does Microsoft open their source for searching vulnerabilities?

FirmwareBurner 16 hours ago

>That's why Lennart recommends systemd-boot.

The creator of SystemD recommends systemd-boot? Seems legit and unbiased.

ahartmetz 14 hours ago

There is probably an overlong yet superficial, easy to read post on his blog about it.

onli 15 hours ago

Yeah, and because grub is too big. Says systemd, of all places.

otterley 2 hours ago

systemd-boot is much smaller than grub.

jonathanstrange 15 hours ago

Pulseaudio still doesn't work reliably.

bayindirh 14 hours ago

I think Pipewire has completely replaced Pulseaudio where it matters.

ahartmetz 14 hours ago

Yes, PulseAudio works great since it's actually PipeWire.

bayindirh 14 hours ago

GRUB is too big? Maybe because it's 30 years old and can boot at least 11 architectures.

...and what systemd-boot is? A UEFI only boot menu which gets its data from UEFI only.

I mean comparing two different things and claiming the more featured one too big is mental gymnastics to put it politely.

GRUB having vulnerabilities is not surprising, esp. when the thing is written at an age where computers were completely different things, programming and requirements wise, but insinuating that systemd-boot is the ultimate replacement is, eh, a bit underhanded. Esp. when it comes from Lennart, whose systemd is too big and encompassing for an init system.

It's the pot calling the kettle black, heh.

zelon88 7 hours ago

"To demonstrate how efficient our product, CoPilot is, we've decided to use it to uncover vulnerabilities in competing products."

Gee, how clever and thoughtful.

fuzzfactor 8 hours ago

Well if Microsoft was as serious about security as they could be, they would have made sure the NT6 boot routine would boot Linux without needing Grub a long time ago.

With the resources they have, and these unique findings AI has helped them discover, they should now be in the ideal position to rapidly correct this deficiency in their own bootloader, so that nobody will ever need to use Grub again.

With this level of expertise, now enhanced by AI, and so much effort already behind them so far, it shouldn't take much to push this over the finish line, provided they have an effective enough organization when it comes to enhancing the security of PC users overall. After all, they don't even have to worry about addressing Macs.

I know the engineers are brilliant enough by far, and with nothing holding them back, we should be able to expect a minor revision of of the NT bootloader like this to be arriving any day now.

According to what I see in the article, this would be one of the most timely & useful security patches to show up on Windows Update, I hope they don't drop the ball on this one.

Patch Tuesday is next week but they seem so close they could probably push this critical correction out before that, so watch for it :)

mystified5016 7 hours ago

I've always thought it was exceptionally clear that Microsoft emphatically does not want you to dualboot.

That's why we got secure boot and why windows absolutely clobbers any other bootloaders during install, updates, and random points in between. It's why we have WSL.

I'll bet good money that Microsoft never even considers what you propose. It's antithetical to the mission of "lock all possible users into ad revinue streams". Microsoft won't get their windows ad impressions if they allow you to use a different OS on the hardware you own.

heelix 1 hour ago

I'll be pissed if they broke my Ubuntu instance ...again under the guise of security.

cmurf 6 hours ago

I don't understand why you think GRUB is required. Or what boot sequence (or use case) involves UEFI > NT6 > GRUB > linux.

Are you wanting bootmgr.efi to learn how to read arbitrary Linux filesystems, bootloader configurations, and EFISTUB? Why?

Windows supports setting a one time boot using a UEFI BootNext NVRAM variable, directly boots shim.efi, doesn't involve bootmgr.efi

fuzzfactor 3 hours ago

>what boot sequence (or use case) involves UEFI > NT6 > GRUB > linux.

Good example of a nonideal approach, but I would settle for that since at least it's better than how UEFI has developed so far.

I think the "default" sequence for new (naturally Windows-preinstalled) PC's is simply UEFI > NT6 bootloader > Windows.

On mainstream PC's like this, for users to include Linux if they want to (without disturbing Windows) it should be a straightforward option to install Linux to its own partition, and end up with UEFI > NT6 bootloader > Windows or Linux. Your choice by paying attention to the built-in NT6 bootmenu upon power up, whenever you don't want to boot automatically to the default OS.

With exactly the same workflow as you used to be able to with BIOS. I know there are subsurface differences, but always hold out hope that maybe someone will be advanced enough to handle this much abstraction ;)

This deficiency was not a factor before UEFI struck, since the NT6 bootloader would start Linux under BIOS with no problem. Still will, and Grub will still start Windows, working smoother than ever even in UEFI. NT5 bootloader was even good enough, and you can probably go back to NT3.

>Windows supports setting a one time boot using a UEFI BootNext NVRAM variable, directly boots shim.efi, doesn't involve bootmgr.efi

Even better than that, both Windows and Linux are complete enough as an OS, that if either of their bootloaders are properly installed & configured, then no NVRAM variables need to be depended on whatsoever. Those variables are functionally just a shortcut or fallback which can compensate for lingering defects.

Plus I never thought Grub was required, I always prefer Syslinux.

No matter what, there's not supposed to be any need for a shim.

cmurf 1 hour ago

>end up with UEFI > NT6 bootloader > Windows or Linux

I don't see any advantage to involving Microsoft in the boot process.

>paying attention to the built-in NT6 bootmenu

UEFI firmware vendors provide a boot manager (the UI) for choosing what installed OS to boot. Apple has offered a graphical boot manager (option key at the boot chime) since forever.

NT6 isn't free or open source software so I don't see the various Linux projects wanting NT6 involved at all, in either the single or dual boot use case.

But in effect you're proposing different boot paths, and different UI/UX depending on whether the system is Linux-only or dual boot Windows Linux.

>This deficiency was not a factor before UEFI struck

I can't tell what deficiency you think UEFI has that BIOS didn't have. But maybe you don't like specs? Or are you referring to the much latter added UEFI Secure Boot?

>No matter what, there's not supposed to be any need for a shim.

You seem to think Microsoft wants to be in the business of executing arbitrary and unsigned code, despite all efforts proving the opposite.

dismalaf 6 hours ago

> nobody will ever need to use Grub again.

I mean, I replaced Grub with systemd-boot awhile back...

greatgib 16 hours ago

To start with, security of "secure boot" there is a joke because anyway all os have to be signed by Microsoft itself. So anyone with they certificate key can do whatever they want.

And btw, not that long ago it was released by researchers than more than 200 platforms from diverse but main laptops and servers manufacturers were still using leaked keys for signing their boot loaders...

donnachangstein 14 hours ago

> security of "secure boot" there is a joke because anyway all os have to be signed by Microsoft itself.

Is Apple a joke because they sign the root of trust for their devices? Someone has to be the root authority. Honestly I trust MS more than I do Google or VerisignDigicert. They are the least likely to intentionally break things.

The reason MS controls the root and not Red Hat etc. is because the Linux camp spent years arguing back and forth about exactly how much they hate secure boot - like an HOA arguing over paint colors - instead of presenting solutions.

> So anyone with they certificate key can do whatever they want.

this is literally how PKI works

Somehow I think MS put a little more thought into their PKI design than whatever you're trying to convey here. What were the other options? Store it on a Yubikey sewn into rms's beard?

People are quick to dismiss secure boot simply because they refuse to understand it.

rcxdude 14 hours ago

>Someone has to be the root authority

No-one has to be, and it certainly doesn't need to be anyone but the owner of the machine.

donnachangstein 14 hours ago

> No-one has to be, and it certainly doesn't need to be anyone but the owner of the machine.

Technically the web should work with self-signed certificates. But that is likewise impractical.

kbolino 8 hours ago

You can enroll your own certificates as long as you have unlocked firmware. However, in order for vendor ISOs to boot without modification, they need to be signed by some trusted root beyond your control.

AshamedCaptain 2 hours ago

Not really? The entire use model could be "just show a prompt on first use" which literally MS is trying to kill, because oh it just so happens the status quo basically benefits them and nobody else.

kbolino 57 minutes ago

I'm not sure what's being complained about here. Most PCs (still) come with Windows, so "first use" will have occurred before you obtained the computer. A motherboard bought separately usually comes unlocked so you can remove the Microsoft certificate if you don't want to trust it anymore. If you're saying that unlocked parts bought individually should not come with any certificates trusted out of the box, I don't necessarily disagree, but this would be a regression in security and convenience for the average user, so it's unlikely to be adopted.

fuzzfactor 7 hours ago

All evidence has always pointed to the purpose of Microsoft SecureBoot being introduced primarily as an obstacle to continued use of Windows 7 as well as Linux on PC's going forward when Windows 8 PC's were released.

Not like there's any question.

Overwhelmingly more so than for "security" purposes.

Any lesser understanding of Microsoft SecureBoot, well, I understand.

I've seen that kind of that kind of refusal before.

greatgib 13 hours ago

Basically a little bit yes. Especially for an entity located in US and with strong links to the basic government.

But in the case of secure boot, this is worse, because Microsoft is just a "software" editor. But its root certificate and probably a few random others are distributed in countless of devices produced by manufacturers unrelated to them, but also, a few number of software distributors will also have subkeys to be able to sign their os/software. All of that, with zero transparency.

And in the end, if I buy a Lenovo laptop, to have Linux OS running on it, there is no reason and no trust to have my OS be signed by Microsoft, that has the key to run whatever they want on my laptop. Think about it and you will see that it makes no sense at all, if you don't trust Microsoft for your OS, to have to trust them for ensuring a secure boot...

AstralStorm 13 hours ago

Technically you can revoke the default root of trust and install your own.

Then manually sign your bootloader.

This feature is available at least in my Gigabyte mainboard, but is not particularly easy to use, which is why bootloaders come pre-signed with a known root of trust. There's nothing stopping the installer from generating the root of trust on the fly, except for the default settings in many machines.

Can also preload measurements for hardware while at it so that nobody swaps a PCIe device for an evil twin.

vladvasiliu 15 hours ago

Some PCs are able to use your own keys, which can be used to sign your bootloader. This has worked well for me with various HP computers (EliteBooks and EliteDesks). One of those, which only runs Linux, will refuse to boot the Windows installer. On my work laptop, I've also added the Windows key (not the 3rd party one) so I can dual-boot.

I understand some computers may not support this as well, so YMMV.

greatgib 8 hours ago

Here is the article I was referring to: https://arstechnica.com/security/2024/07/secure-boot-is-comp...