Saw a lot of people get nailed by this in the Framework community. On the flip-side, if you eschew Microsoft products completely, I've had a really good experience (for the most part) using Secure Boot with custom keys on Linux on my Framework 13 AMD laptop. I am using Arch, and have it setup to build UKIs that are signed automatically via a post-build hook using `sbctl` and EFI booting using systemd-boot. As much as I generally dislike SystemD, if you go all-in on it, it does work relatively well on modern hardware.<p>Shim is really only required on Linux when dual-booting, and really only because the entire Trusted Computing Platform architecture is not user-centric and is designed around the needs of Microsoft more than any other entity. But because they at least paid lip-service to users, you have the ability to just eliminate Microsoft keys entirely on your system and go all-in on custom Secure Boot w/ Linux. I am hard-pressed to find a reason for any moderately technical user to still be running Windows in 2024, as most important productivity tools are primarily or at least optionally web-based, and Linux is significantly better in every other capacity.
This is another reason not to do dual-boot, but to just use Linux.<p>Here's a good litmus test for a company we're considering joining: do at least their engineers (if not their PowerPoint+Excel biz people) use Linux for their laptops, not only for their servers? If they do use Linux, I'm just going to assert that they're likely more clueful than average.<p>Similar with startup hiring. Two options for this: (1) give a resume-screening boost to people who seem to have bought into Linux; or (2) announce in your job posts that the company pragmatically uses Linux for everything, to attract people who see that as clueful, and scare away a lot of others.<p>(Unfortunately, #2 also alienates some mostly-clueful people who really like Macs, and maybe even some clueful people who, through some cruel accident of history and gaming rigs, only know how to do Windows.)<p>(Actually, even more than Linux, I suspect that a startup using a BSD would probably be more technically clueful than the average Linux shop. Because some fringe tech seems to attracts the smartest and/or best-motivated techies disproportionately. But I'd say Linux is a sweeter spot overall for more startups.)
Lots of hate on Microsoft for doing this, but SBAT was made exactly for this reason: To deny boot loaders with known vulnerabilities to boot an operating system that might not be the one you think.<p>Might as well disable secure boot if that's not a concern, or make sure the boot loader is up to date if dual booting Windows 11. I can't imagine new machines shipping without SB.
As someone who remembers 1990-2000, I'm always amazed that these little bugs always seem to just randomly favor Microsoft. It's kind of miraculous, really. A Windows update roaches the Linux part of dual boot. How about that, nothing could be done.
Hanlon's razor comes to mind, but it seems like a huge oversight for Debian and Debian-based distros like Ubuntu and Mint to break. That's a large proportion of the Linux userbase. I wonder if this affects Debian more generally or does the installation method matter?
I am a bit curious how exactly Microsoft planned to identify that a machine was dual booting linux.<p>Looking for certain files on a random partition? A list of distros and versions? A partition type? Anything seems to be error prone and likely to miss something.
i’m just so over microsoft. mac is expensive, but otherwise great. nixos is awesome. have to use a windows vm for work, but thankfully IT deals with it. when microsoft launched wsl, I thought it would be amazing, but all their forced bing integration has driven me nuts and i’m out on them.
> but for unclear reasons, Microsoft patched it only last Tuesday<p>I think it's obvious why Microsoft has only recent patched the issue: because Linux distros really lag behind on se curie issues like these. Hence the warning some people receive: they're still using a vulnerable boot configuration that was fixed two years ago.<p>In a similar vein, Microsoft waited a year before automatically releasing a secure boot related patch that affected Windows, so system administrators wouldn't be blindsided: <a href="https://msrc.microsoft.com/blog/2023/05/guidance-related-to-secure-boot-manager-changes-associated-with-cve-2023-24932/" rel="nofollow">https://msrc.microsoft.com/blog/2023/05/guidance-related-to-...</a><p>The impact of these patches is minor for most consumer devices, but for corporate environments where IT may need to go around entering Bitlocker recovery keys in some edge cases (and where recovery media needs to be made using a recent ISO or it won't work), people need a reasonable time to prepare.
reinstall with only linux, problem solved<p>get rid of secure boot, more problems solved<p>if you run Windows in 2024 you deserve all the misery you get