Pretty sure this will effect any system with grub eventually as grub is not developed by manjaro team.
It’s only because manjaro is rolling release that it is seen here before other systems, meanwhile non rolling distros still have the unsecure grub.
Yes, I agree. Personally, I didn’t even know there were update announcements until today. And I definitely thought it was a bug when Windows got removed from grub.
3 Likes
Ah alright, I have confused it with another case then. Now it looks like a real issue to me.
I have checked it on OpenSUSE Tumbleweed, also rr.
Grub os-prober stays enabled if you had it this way before. The only thing that goes back to default is the theme.
Anyway, OpenSUSE has an easy graphical way to switch os-prober on and off (a checkbox in the bootloader config). Very convenient if you want to help out someone who’s not tech-savvy.
3 Likes
Interesting. Not surprised that it got the update as it is rr, nice to have a fancy gui tho.
1 Like
You are correct that it is not the same as silent GRUB
I think changing the menu to hidden was unintended
But if /etc/default/grub was updated with the unintended change, it would also have the intended change to add the os-prober option
2 Likes
Just wanted to thank the devs for reenabling os-prober.
1 Like
I got a funny error when this hook/script failed to find Grub cuz neither Grub nor os-prober were installed. 
No need to worry about GRUB security issues if there is no GRUB.
2 Likes
Yea, I stopped worrying and loved the bomb systemd-boot.
1 Like
now you can worry about security on systemd
Thank you. Also many thanks to @openminded who gave a very simple and quick explanation of the meaning of all this.
About grub.pacnew files… I have read the wiki on System Maintenance, but I’m having trouble understanding. I have an original (I suppose old) grub file edited to my preferences. And everytime there was a grub update, I would get a grub.pacnew file, which I suppose was the updated version of grub. I have never attempted to merge or overwrite my original grub file with the grub.pacnew file before. Currently my system (dual-boot installation with Windows which I never use, only have it as a backup plan) runs with the original grub file and therefore the os-prober is enabled by default (and lots of other lines that exist in the .pacnew file are missing from the original grub file).
Can you please explain to me if I have to completely ovewrite the original file with the .pacnew and then re-edit in my preferences? What risks are involved in doing so (is there a risk of being unable to boot into manjaro) and what happens if I never handle the .pacnew file and let my old grub file as is? Is there a safe or recommended way of handling this?
EDIT: I found a topic that answers my questions aptly enough, for anyone else out there who is inexperienced about .pacnew file maintenance. Timeshift is up and running, copied the current grub file as a backup on a separate partition, doing a back-up of my personal data just in case (nobody can really afford to lose working hours) and then I am going to tackle the handling of grub.pacnew with DIFFPROG=meld pacdiff, while being aware about the latest changes in grub configuration (os-prober). I honestly had a lot of trouble trying to understand what I need to do and which command to use exactly, but things are getting clearer now.
I apologize if I went off on a tangent here.
It is enabled because it now defaults like before and Manjaro Settings automatically enable it for the user on update to keep the old behavior as there is no real reason to disable it on Manjaro, which requires secure boot to be disabled in the first place.
Globally your question has no definitive answer as every system is different, so you nned to look the difference between the new default file and your current one, and think about if you add the new default settings to your config file or not.
1 Like
I don’t know whether it’s Ventoy or Grub update, but now it is finally not possible to boot Manjaro iso on a SecureBoot-enabled machine using Ventoy. Previously it was perfectly doable, which in fact was an indicator of a huge security flaw in Ventoy and/or Grub.
EDIT: Seems like a Grub thing: now it requires a kernel signed with some allowed certificate, and it prevents booting with no/wrong signature.
I noticed that yesterday when a friend needed to use Ventoy to boot a Windows ISO. Secure boot blocked the boot, BUT by following these steps… it worked lol secure . Ventoy
I don’t know about a Manjaro ISO though.
That’s a correct way to use Ventoy indeed, there’s nothing funny about it. Your friend tried to boot an untrusted unsigned binary (Ventoy’s Grub), UEFI refused to proceed, he singed it and enrolled a certificate into MOK, now UEFI considers all binaries singed with that cert to be allowed. It then hands over to a Windows loader binary which is always signed and considered trusted when using a default Secure Boot mechanism.
I was talking about another thing. Since Manjaro has an unsigned kernels binaries, they should be denied to boot using even signed Ventoy’s loader. But that was not the case until recently.
1 Like
I use dual-boot with Windows 10 and my Surface UEFI supports Secure Boot. Can I turn it on if I still want to boot to Manjaro?
Is secure boot compatible with Manjaro?
You can, but it it will result in non-bootable Manjaro.
@omano it’s the other way around: Manjaro does not support Secure Boot out of box.
Only Ubuntu, Debian, RHEL, Fedora, SLES and openSUSE support it OOB.
There is a way to make any OS of your choice be able to boot with SB enabled, but it is a quite tricky manual process which is covered in plenty of how-tos easily available in the internet. For example, go search for “Sakaki install guide” on Gentoo wiki. Read Rod Smith’s instructions. Read Arch wiki, at last. And so on.
It was a rhetorical question.