They don’t. There’s no need to use such special tools when one deals with a vulnerable-by-design (in this specific aspect, of course) distro. Like everything except Fedora, (open)SUSE, Ubuntu, Debian, RHEL. I don’t remember what else has SB support OOB.
Exactly. However, it is possible to setup Secure Boot after installing Manjaro. In such case a user of Grub should definitely update it.
Disabling the os prober by default may be a huge inconvenience for many, especially “normie” users who don’t visit forums or read announcements. It may scare away many new users, too. I think it would be great to include some explicit option to enable/disable the os prober in new installations and the Manjaro settings.
Um, I’m just thinking out loud here, the situation we’re in now isn’t as serious as the “boot hole” debacle last year where, in order to have a properly-updated system, a full re-installation of grub was required per a manual chrooting experience on a live session was required, correct? A simple grub update per terminal or pamac is sufficient (even on luks partitions) is sufficient (so far) – right?
Yes, 100% agree! I think Manjaro is great partly because it is very easy to use and there’s not a lot you can do wrong. We can’t expect every single user to read the update announcements before updating, especially because updates are mandatory when installing a new package anyway.
We already saw that a lot of people fell into this trap with this update, see Exhibit A, B, C, and a lot more.
I would also say that it’s expected that a linux distro will detect and and offer to boot into all other Operating Systems, installed on the PC, that’s just a given by now. And not giving people this default will likely lead to a lot of “Manjaro removed my Windows” kind of support posts, which is just inconvenient for everyone involved.
Having an option during installation to detect other OSes and add them to Grub that is enabled by default may be a decent fix.
Hmmmmmnmmmmmmmmm, considering the number of CVEs here and > 100 patches already…I honestly think the process of “reinstalling grub” deserves a separate announcement thread of its own. I see that @nightmare-2021 just modified the first post to link that wiki article. My neutral-face emoji is becoming even more neutral here.
I would suggest (for those of you keen of modifying wikis) that wiki page also include instructions for cryptsetup for those of us on luks. My link is based off @eugen-b’s very old guide that’s since been partially-nuked on the read-only forum. I’ve found it’s a very much trial-and-error process so I would also preface the discussion with caution advised.
I don’t dual boot on this computer, but if I did, it’s a snap to use Kate (or your text editor of choice) to edit /etc/default/grub and remove the # in front of #GRUB_DISABLE_OS_PROBER=false and then type sudo update-grub into a terminal window. All fixed!
These vulnerabilities are meant to circumvent Secure Boot enabled systems. If you’re not using it, your system is vulnerable by default and no update will save you from such attacks.
Installing these grub updates on default Manjaro is pointless unless you have SB with your own keys right now. This entire discussion is hilarious because Manjaro doesn’t support SB out of the box. You can’t mitigate a breach when your door is wide open.
Do we have to reinstall grub now or wait for those security patches to be included within grub ?
In addition : some people are saying here we have to chroot to reinstall grub, some are saying we do not have to…
This is confusing to me, as well as reinstalling grub : maybe i am stupid too, but as those security patches are not yet included within grub (i am referring to the beginning of @nightmare-2021 saying there are still pending…). Why do we have to reinstall grub now ?
ok… maybe i am just stupid. I have read this 4 times now and fail to understand how disabling os-prober is supposed to mitigate this vuln? (besides that windows is a virus ) Also, dont you have to have physical access to the pc? If that is the case, I dont think my wife and daughter are the hacker types. To me this is an overreaction. But maybe i am just missing the point here or missing a piece of information. As for having to chroot to reinstall grub, i reinstall grub everytime windows pukes on the bootloader. Not once have i had to use chroot. The documentation tells you how, but not why.