this post was submitted on 09 Dec 2025
64 points (93.2% liked)

Linux

60132 readers
1474 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
64
Grub and the Microsoft Ransomware (lemmy.ml)
submitted 2 days ago by Moonrise2473@lemmy.ml to c/linux@lemmy.ml
57 comments fedilink hide all child comments
 

TL;DR: bitlocker does not like grub

Full story:

Months ago I installed fedora on my desktop, dual booting Windows 11.

In all this time I never had the need to boot into windows. I remembered that it worked fine after install, good, and then I forgot about that.

Today I needed a specific windows only software, so at grub I chose the microsoft bootloader and... BITLOCKER.

Huh? Bitlocker? Me? What? Searched frantically for that decryption password in my keepass, did not find. What?? How???

After a few minutes staring at that screen I thought, ok let's just wipe that shit and reclaim the space. I went back to linux, opened the partition manager, then remembered that i had something important in single copy over there. Noooooo

Went back to the boot screen to try again, still failed password.

Then I notice the error:

e_fve_pcr_mismatch

that mismatch lets me think that maybe I had something wrong in my booting.

I try to put windows first in the bios and it works! WHAT THE...?!??

So, if i put linux first, then launch windows from grub, bitlocker takes the windows partition under ransom, i can only access if windows is first. And of course in windows 11 x64 is no longer possible add linux partitions in their boot manager (previously it was possible)

Incompetence or maliciousness?

top 50 comments
sorted by: hot top controversial new old
[–] data1701d@startrek.website 22 points 2 days ago* (last edited 1 day ago) (3 children)

It's not malicious or "ransomware", and this is perfectly normal, default behavior for most devices - both macOS and Windows implement full disk encryption in a default install these days, and your key is almost always in your Microsoft Account on the Microsoft website. While Microsoft does a lot of crap wrong, in this case, Windows's failure to decrypt under GRUB is security features actually kind of doing their job. Basically, trying to boot Windows through GRUB confuses the TPM, causing it to not want to give the keys in case the Windows boot partition has been tampered with by bad actors. Thus, you have to boot directly through Windows Boot Manager, not GRUB

Also, secure boot and TPM aren't just some conspiracy by Microsoft to block Linux; they are attempts at implementing legitimately necessary security features. Full disk encryption supported by correctly implemented secure boot and an encryption chip are essential to having modern security. Linux is not blocked by TPM and Secure Boot; it is certainly possible for Linux distributions to take advantage of them to enhance their own security. I have implemented automatic LUKS full disk encryption that similarly fails to unlock if the partition has been tampered with on my Debian install. In theory, they can actually be used to help improve your security.

That is not to say I think TPM and secure boot are good, though. The really obnoxious thing about secure boot is that all the certificates are controlled by Microsoft rather than a standards body or a group of certificate authorities. While so far, Microsoft has kept it relatively open by providing the third party CA and the shim binary in order to avoid having its neck snapped by the FTC, considering the current administration, we don't know how much longer they'll keep it up, and they could actualize the much-feared blocking of Linux.

The other big problem with TPMs and secure boot is that often, there are so many different implementations and frequently major security flaws in their implementations that weaken their protection. A typical petty thief stealing your laptop still probably won't be able to decrypt your drive, but a nation state can probably find a way. It doesn't help that Windows doesn't encrypt communication between the CPU and the TPM (luckily, the Linux kernel does that by default). Despite these issues, I'd say TPM and Secure Boot is better than nothing for most devices; not using them (EDIT: or a non-M$-controlled alternative, like a memorized drive password AND/OR FIDO keys, which may be better) at least in part means your device is more vulnerable to physical access and bootkit attacks than even most Windows laptops, and they are often the only tools at your defense

EDIT: An addendum: Now the really smart thing I've heard people do is to keep the boot partition on a flash drive (possibly with a keypad or biometrics) that you keep with you at all times.

[–] Moonrise2473@lemmy.ml 11 points 2 days ago (1 children)

a nation state can probably find a way

There's no "probably", they can surely find the way, because the decryption key is saved on Microsoft servers, they just need a subpoena for getting it

[–] data1701d@startrek.website 3 points 2 days ago

Precisely. I just use probably as a catch all.

[–] HiddenLayer555@lemmy.ml 3 points 1 day ago* (last edited 1 day ago) (1 children)

Is it possible to use LUKS with a password with a Windows NTFS partition and just have GRUB decrypt it to let Windows boot? Don't intend to dual boot Windows ever but just curious.

Frankly I trust a password stored in my brain way more than whatever keys the TPM is storing. No way something being pushed this hard by Westoid tech corporations doesn't have a backdoor that just unlocks everything for "approved" parties.

[–] data1701d@startrek.website 2 points 1 day ago* (last edited 1 day ago)

The password thing is pretty based, honestly. What you say is probably not possible, as the NT kernel would have to support LUKS, I'm pretty sure, which it doesn't.

[–] ZkhqrD5o@lemmy.world 2 points 2 days ago (1 children)

IMO, this does nothing because it only gives Microsoft full access to your device. And if you're special enough to get the attention of someone capable and willing to physically steal your laptop, install a bootkit on it and give it back to you without you even noticing, then it's just easier to just download the decryption keys from Microsoft at this point. It could have made all of this local like storing it in the TPM, a secure area of the CPU.

Full disk encryption is cool, but not when tethered to Microsoft. With that, they brought themselves into a nasty position even if they didn't want to. Just like when Apple made themselves the sole source of installing programmes on the iPhone devices. China gladly used that and is gladly using that.

[–] data1701d@startrek.website 2 points 1 day ago

I was talking less install a bootkit and giving it back to be and more just straight-up stealing the laptop and seeing if they can get any personal info they can sell before formatting it and eBaying it.

Still, your points are totally valid.

[–] tea@lemmy.today 35 points 2 days ago (3 children)

I have given up dual-booting and just have a Windows VM for work things that require Windows. Less muss, less fuss and I can move the VM around as needed when moving between primary PCs.

[–] sem@piefed.blahaj.zone 1 points 1 day ago (1 children)

I would like to go this route, but I'm really confused about how to do it legally, or even in a gray area sense. I once purchased a Windows 10 Pro license. I'm not sure if that entitles me to being able to install Windows in a VM, but I would really like to do this to run some Windows-only applications that don't seem to work in WINE

[–] tea@lemmy.today 1 points 1 day ago* (last edited 1 day ago)

Yeah, that's basically it. Buy a license and apply it when you install windows from the windows ISO installer on the VM.

If you've already used the license on a PC, you may need a new one or you might be able to transfer it if it's a retail version, not an OEM version.

[–] Engywuck@lemmy.zip 8 points 2 days ago (1 children)

This. And fuck secure boot. Nowadays almost any of can run VMs flawlessly.

[–] wildbus8979@sh.itjust.works 7 points 2 days ago (1 children)

You can even use SecureBoot and TPM in a VM ;) OVMF EDK2 fully supports both ;)

SecureBoot is fine, sucks that vendors won't add distro keys but you can do that yourself, or use the shim.

[–] Engywuck@lemmy.zip 2 points 2 days ago (1 children)

Or just disable it in UEFI and forget about it.

[–] erebion@news.erebion.eu 5 points 2 days ago (1 children)

Security tools are there for a reason. Sure, I can encrypt my Linux rootfs, but that doesn't stop anyone from tampering with the initramfs. Secure Boot + UKI does.

[–] Engywuck@lemmy.zip 1 points 1 day ago* (last edited 1 day ago)

Cool. I still prefer to disable it.

[–] eldavi@lemmy.ml 4 points 2 days ago (6 children)

did you have to buy a windows license to do it?

[–] Engywuck@lemmy.zip 17 points 2 days ago (2 children)

You may want to Google for a dev called Massgrave.

[–] eldavi@lemmy.ml 1 points 1 day ago

thanks, now it makes sense and it's a nice reminder of why i left the windows eco-sphere over a decade ago

[–] eleijeep@piefed.social 1 points 2 days ago (1 children)

Is their GitHub account called massgravel (with an L at the end)? Or is that someone typo-squatting?

[–] Engywuck@lemmy.zip 3 points 1 day ago

Just checked, massgravel (with an L) is right.

[–] 9point6@lemmy.world 6 points 2 days ago (1 children)

You don't have to

If you only need it for 90 days before it expires, Microsoft will give you the VM for free (and if you're particularly industrious, you might write a script that then installs a load of your shit for you to run after you fire up a fresh one)

If you don't care about potentially breaking the law you can run it forever with a couple of scripts you can find on GitHub

If you don't want to break the law but also don't want to pay full price you can get a dubious but working key from sites like G2A and cdkeys

If that's still too sketchy there's the OEM licenses (honestly not worth it since they can only activate on a single machine ever)

Or finally you might feel sorry for Microsoft for some strange reason and want to go full retail price.

Basically the same experience with all options for a lot of cases, they're just happy to have users it seems

[–] pulsewidth@lemmy.world 1 points 1 day ago

Don't pay the guys on G2A for keys - they're just reselling stolen corporate MAK keys. They're also not legal to the terms of the EULA, so it's not a 'genuine copy' for the buyer either - you may as well just use Massgrave instead of funding crooks.

To add to your list of options: you can also just leave it unactivated forever.

It'll whine about requiring activation with a ''Activate Windows. Go to Settings to activate Windows" message overlaying the bottom right corner of the screen - but that's it, functionality is otherwise 99% unaffected (you can't change wallpaper.. Oh no). For Windows 10 it will now stop offering updates though - same as any standard Win10 copy, so I'd again recommend the Massgrave Dev route to keep the updates coming a few more years.

[–] anon5621@lemmy.ml 5 points 2 days ago* (last edited 1 day ago) (2 children)

No why pay money for this to assholes,more over I use windows server edition which not possible to get if u are not business client and it cost 800$

[–] eldavi@lemmy.ml 1 points 1 day ago

i don't want to and that's why i asked.

i stepped back into the windows eco sphere recently after leaving it 12 years ago and was wondering how people were getting around the activation now-a-days

[–] SteveTech@aussie.zone 1 points 2 days ago

windows server edition which not possible to get if u are not business client and it cost 800$

It probably depends on your uni, but students can get Windows Server licenses for free on Azure Education.

[–] tea@lemmy.today 4 points 2 days ago* (last edited 2 days ago) (1 children)

My work has licenses I can apply for VMs when I'm keeping them for longer client work, so yes they are licensed in my case.

I wouldn't do that for my own personal use though.

[–] eldavi@lemmy.ml 1 points 1 day ago

i left the windows eco-sphere around 12ish years ago and coming back has shown me that nothing has changed.

load more comments (2 replies)
[–] spaghettiwestern@sh.itjust.works 14 points 2 days ago* (last edited 2 days ago)

A few years ago I booted up Windows after months of exclusively using Linux. When I ran Windows Update it deleted and overwrote my Linux partition! This wasn't a grub issue, my files were gone and even file recovery utilities couldn't find much. Plenty of others have experienced the same thing.

This is still happening and is unquestionably pure maliciousness on Microsoft part.

[–] Buffalox@lemmy.world 18 points 2 days ago* (last edited 2 days ago) (2 children)

Microsoft secure boot is 100% made to be a pain in the ass for Linux users. It doesn't add any security, but is instead a huge added unnecessary risk factor for data loss for users.

[–] 9point6@lemmy.world 13 points 2 days ago (1 children)

It technically does add security in that it prevents a load of attack vectors that would dodge most anti malware tools (i.e. the ones before the anti malware tool can start)

But you're right in that the execution of the idea is unnecessarily painful for Linux

[–] Buffalox@lemmy.world 3 points 2 days ago (1 children)

OK so when did you hear of an actual successful attack that could have been avoided if the user had used secure boot?

[–] 9point6@lemmy.world 10 points 2 days ago* (last edited 2 days ago) (1 children)

Well boot sector viruses used to be all the rage in the 90s, they're entirely impossible under secure boot

Malware rootkits were a pretty big problem about a decade ago, I understand the techniques those mostly used are more or less impossible under secure boot now too

Then we could go into all the government and adjacent industry use cases where state-sponsored targeted attacks are a real concern. Measures like filling USB ports with super glue and desoldering microphones on company laptops is not unheard of in those circles, so blocking unknown bootloaders from executing is an absolute no brainer.

Saying it provides no security is just not true. Your front door isn't only secure if someone has failed to break in

[–] non_burglar@lemmy.world 5 points 2 days ago (2 children)

Secure Boot keys are considered compromised.

https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

If you are recommending secure boot as a security measure, you should stop doing so.

[–] erebion@news.erebion.eu 3 points 2 days ago (2 children)

That's just FUD. "Secure Boot keys are considered compromised."...

some are... some

Doesn't mean it's better to turn off all security measures and live without them.

That's like saying a lightbulb stopped working, so now you live without electricity. :)

load more comments (2 replies)
[–] 9point6@lemmy.world 7 points 2 days ago (1 children)

I'm not recommending it, I'm describing why saying it adds no security is silly.

The keys being compromised on some motherboards doesn't mean the whole concept is suddenly inert for every single user

If everyone has a copy of my passwords and authenticator keys, that wouldn't suddenly make 2 factor auth a compromised idea.

Hell, even if you are one of those people running a machine with the compromised keys, it's still going to block malware that was written before the keys were leaked unless malware authors have also figured out time travel.

load more comments (1 replies)
[–] wildbus8979@sh.itjust.works 8 points 2 days ago* (last edited 2 days ago) (1 children)

I don't know which distro you're using, but in Fedora and Debian it's pretty easy to install the signed version of grub and the signed shime and get full secure boot in Linux. No setup needed.

[–] Buffalox@lemmy.world 2 points 2 days ago (1 children)

Only as long as Microsoft allow it, and only because a lot of work was put into that shit. The first couple of years it was very flaky.

[–] SteveTech@aussie.zone 4 points 2 days ago (1 children)

It's easy enough to add your own secure boot keys, you can even remove the Microsoft keys so that only your OS will boot.

[–] Buffalox@lemmy.world 1 points 2 days ago

OK that's new to me, I have to admit I haven't been looking at it for years, I do not feel comfortable following Microsoft specifications, as Microsoft has a long h9istory of fucking things up for others on purpose, and their safety record is probably among the worst in the industry.

[–] M33@lemmy.sdf.org 6 points 2 days ago

Why not both?

[–] just_another_person@lemmy.world 4 points 2 days ago (1 children)

PCR is the name of a registered value in your TPM module.

Did you disable or otherwise changed your Secure Settings in your BIOS? That would do it.

[–] Static_Rocket@lemmy.world 4 points 2 days ago (2 children)

Any changes in the boot process should change various PCR registers. https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers

load more comments (2 replies)
[–] stupid_asshole69@hexbear.net 3 points 2 days ago

Yeah you gotta disable bitlocker.

[–] cassandrafatigue@lemmy.dbzer0.com 2 points 2 days ago

While there is a strong argument for incompetence, generally:

"Windows isn't done until lotus doesn't run"

load more comments
view more: next ›