GRUB's No Good, Very Bad, Day (at the hands of Microsoft)
A new Microsoft patch - for a 2 year old vlun - is preventing dual-boot computers from booting Linux. Monopolies at work again. Let's break that cycle.
There's a good write-up over at Ars Technica, written by Dan Goodin, describing what happened, and I encourage you to read it. Here's the TLDR version for our purposes:
- There's a 2022 CVE relating to Secure Boot that in August 2024 Microsoft has delivered a patch for
- Microsoft explicitly documented that this change will not impact dual-boot computers
- However dual-boot computers running Debian based Linux packages along side Windows with Secure Boot enabled now get an error message on boot and cannot boot into their Linux OS
- That patch impacts GRand Unified Bootloader (GRUB), which is the default boot loader for many (if not all) Linux distributions
- The workarounds involve either disabling Secure Boot, or rolling back the patch (which requires temporarily disabling Secure Boot)
Obviously this isn't ideal. But I don't see it as being extremely high on Microsoft's list of things to fix for one primary reason: dual-boot is mostly an enthusiast/hobbyist/home-user thing, impacts workstations/laptops not servers, and not part of any enterprise's infrastructure.1 So who is going to push Microsoft to fix this? Tracy form IT?
Let's dive into why Secure Boot is a problematic solution to an important problem, and how we might approach it differently going forward.
The Secure Boot Monopoly
There's that word again, monopoly. I've accused Microsoft of being part of the problem for this reason before. As it happens, Secure Boot is a Microsoft invention, one that they convinced hardware manufacturers to jump on board with. Quite successfully in fact. Unfortunately we've seen time and time again that it works relatively well for Microsoft's OS, but not so well for others. In the early days of Secure Boot the advice from even official Linux distributions was to disable it if you were installing Linux - dual boot or not. A spate of recent Secure Boot related vulnerabilities has also demonstrated how the solution lacks scalability and resilience in the reality of hundreds of vendors who all need to interact with the solution securely.
Yes, Secure Boot provides an important security function, but when Microsoft can disable your legitimately installed OS from booting by issuing a poorly tested patch for the system one questions if the cure is worse than the disease, or if Secure Boot should be in the hands of a non-commercial third party.
Why Linux Users Still Dual Boot
Since Secure Boot is controlled by Microsoft, and Linux users are often trying to distance themselves from Microsoft, why do many of them dual boot? It turns out there are a number of reasons why - and they all revolve around just how much of the market Microsoft controls or influences.
Peripherals Requiring Windows
Let's say, for the sake of argument, that you have a really nice wireless headset for your computer. But that headset has a behavior you don't like and want to change. You go to the manufacturer's website to find a utility to adjust the setting. You're often presented with two options - and that's if you're lucky:
- Download our app for Windows
- Download our app for MacOS
Sure, you MIGHT be able to run an emulator, like WINE, and successfully use the Windows version of that software, but that's iffy at best. It gets even iffier if you're going to need to update the firmware on that peripheral. No, the safer, faster, and easier option is to boot into Windows and run it from there.
BIOS Updates Requiring Windows
You'd think that updating your BIOS would be a simple task of downloading the BIOS file to a thumb drive, rebooting into your BIOS, and installing using the built-in utility in the BIOS. In a number of cases, you'd be right. For example, the Intel line of NUC devices (now owned by ASUS) allows for exactly that. It works quite well.
However, for whatever reason, a number of hardware manufacturers - including big names - don't make it that easy. Again, the only download you can find is a Windows executable file. Even if the BIOS can be updated from a thumb-drive file, you have to extract that file from the Windows executable, which might contain several flavors that you now have to pick between to make sure you got the right one. Again, far safer, faster, and easier to just boot back into Windows.
Figuring out if your hardware vendor supports updating the BIOS outside of Windows before you've purchased the hardware is a challenge. If you don't believe me feel free to head down to your local Best Buy and take interest in a laptop. Ask the salesperson who comes to help you if you can update the BIOS outside of Windows and ask them if they can prove that to you. You'll either get half the store involved in trying to figure that out, or you'll be flatly told they have no idea. That said, picking hardware from a company that explicitly supports Linux hardware, including Dell, Framework, and System76 among others, can help you with this BIOS problem.
Linux Isn't Their "Daily Driver"
At the end of the day many dual-boot Linux users are still trying out Linux and can't afford the additional hardware to have a Linux box and a Windows box. Because of this they run both on the same hardware. They haven't made the leap to use Linux as their daily driver, because they're still captured by the idea that if they don't write that document in MS Word nobody will read it, or they haven't yet learned about the software ecosystem that is thriving on Linux. Issues like this one with Secure Boot also have a chilling effect on their confidence to cut the cord and move to Linux primarily, let alone exclusively. Heck, I've been using Linux as my daily driver for over a decade and I still dual boot.
Market Capture and Influence
So why don't hardware manufacturers offer more Linux support? Because Microsoft owns over 75% of the desktop market share, with MacOS a distant second. Linux represents somewhere in the neighborhood of 5% of that market, as we discussed in the recent CrowdStrike kerfuffle.
Unless and until that Microsoft market share comes down this will be the way of the world. It makes economic sense for vendors to gravitate to ensuring their products work well with Windows and less so that they work well with other operating systems. What vendor wakes up in the morning and says "I'm going to spend a significant amount of time focusing on 5% of the total possible market instead of focusing on 75% of it?"2 Cross-platform compatibility takes additional effort that the calculus suggests isn't worth the effort for many vendors today, which is certainly their prerogative.
Breaking The Cycle
Linux users would settle for vendors simply open-sourcing their software. Heck, Linux users are so enthusiastic for their systems that they often reverse engineer that closed-source software in order to support their favorite things. OpenRazer is an excellent example of this: someone wanted to make their Razer BlackWidow keyboard light up in Linux, no just Windows, and ended up writing a solution that supports hundreds of Razer products in Linux. If that headset software was simply open-sourced, and the firmware files were available for direct download, the Linux community would take care of this ourselves! Mostly, anyway. Heck, given that we'd write our software open-source, the original vendor might choose to incorporate that into their own software as improvements. These things have happened before, and as a wise Cylon once said, all of this will happen again.
So if you're a computer hardware manufacturer who wants a small but loyal and vocal fan base, well, you could do far worse than embracing open source and the Linux community as a whole. Who knows, there might be a business case in it for you. It's working for companies like Framework and System76, perhaps it could work for you too.
If you're an end user looking to experiment with Linux, you could do far worse than starting with my blogs on installing and running Linux for the first time:
1 Small businesses might do this, especially in the cybersecurity penetration testing world, but even mid-sized businesses will often tackle multi-OS needs through virtual machines or even assigning multiple devices to an employee. And dual-booting a server is just not a thing.
2 Only those who have already saturated the 75% of the market, that's who. Or one who has chosen a business model where that 5% is 100% of their target market.