Grub2 | Secure Boot Bypass and other issues - Update highly recommended

They don’t. There’s no need to use such special tools when one deals with a vulnerable-by-design (in this specific aspect, of course) distro. Like everything except Fedora, (open)SUSE, Ubuntu, Debian, RHEL. I don’t remember what else has SB support OOB.

Exactly. However, it is possible to setup Secure Boot after installing Manjaro. In such case a user of Grub should definitely update it.


That needs to be:

echo GRUB_DISABLE_OS_PROBER=false|sudo tee -a /etc/default/grub && sudo update-grub

Disabling the os prober by default may be a huge inconvenience for many, especially “normie” users who don’t visit forums or read announcements. It may scare away many new users, too. I think it would be great to include some explicit option to enable/disable the os prober in new installations and the Manjaro settings.


Um, I’m just thinking out loud here, the situation we’re in now isn’t as serious as the “boot hole” debacle last year where, in order to have a properly-updated system, a full re-installation of grub was required per a manual chrooting experience on a live session was required, correct? A simple grub update per terminal or pamac is sufficient (even on luks partitions) is sufficient (so far) – right?


FWIW: A grub reinstallation did not and does not need live sessions and/or chrooting - just a running Manjaro with up-to-date grub package.

Yes, 100% agree! I think Manjaro is great partly because it is very easy to use and there’s not a lot you can do wrong. We can’t expect every single user to read the update announcements before updating, especially because updates are mandatory when installing a new package anyway.

We already saw that a lot of people fell into this trap with this update, see Exhibit A, B, C, and a lot more.

I would also say that it’s expected that a linux distro will detect and and offer to boot into all other Operating Systems, installed on the PC, that’s just a given by now. And not giving people this default will likely lead to a lot of “Manjaro removed my Windows” kind of support posts, which is just inconvenient for everyone involved.

Having an option during installation to detect other OSes and add them to Grub that is enabled by default may be a decent fix.


to be fully secure you should completely reinstall grub.

Hmmmmmnmmmmmmmmm, considering the number of CVEs here and > 100 patches already…I honestly think the process of “reinstalling grub” deserves a separate announcement thread of its own. I see that @nightmare-2021 just modified the first post to link that wiki article. My neutral-face emoji is becoming even more neutral here. :neutral_face:

I would suggest (for those of you keen of modifying wikis) that wiki page also include instructions for cryptsetup for those of us on luks. My link is based off @eugen-b’s very old guide that’s since been partially-nuked on the read-only forum. I’ve found it’s a very much trial-and-error process so I would also preface the discussion with caution advised. :warning:

Thank you so much for this announcement to keep our computers safe.

Reinstalling grub was so easy for my EFI System:

Open a terminal window and type or paste the following commands:

sudo su
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --recheck
grub-mkconfig -o /boot/grub/grub.cfg

I don’t dual boot on this computer, but if I did, it’s a snap to use Kate (or your text editor of choice) to edit /etc/default/grub and remove the # in front of #GRUB_DISABLE_OS_PROBER=false and then type sudo update-grub into a terminal window. All fixed!

You need to be chrooted to properly install grub on efi installs, even if you don’t use luks. After the process is complete, reboot and load the grub menu to verify the version number.

can i use kde minimal in order to chroot/update grub in my full kde install?

now that a reinstall is recommended - does that include people not using secure boot (or multi boot for that matter), too?

And i don’t really get why chroot should be necessary if the system still boots? Maybe someone can enlighten me? ^^


i did reinstall bootloader (manjaro GRUB) last year and NO chroot is not necessary, though it was recommended as a fool-proof way AFAIK

Did I understand right, this only applies to devices with UEFI? So I don’t have to bother and can go on without reinstalling grub? I don’t dualboot and none of my devices has EFI/UEFI.

These vulnerabilities are meant to circumvent Secure Boot enabled systems. If you’re not using it, your system is vulnerable by default and no update will save you from such attacks.
Installing these grub updates on default Manjaro is pointless unless you have SB with your own keys right now. This entire discussion is hilarious because Manjaro doesn’t support SB out of the box. You can’t mitigate a breach when your door is wide open.


Do we have to reinstall grub now or wait for those security patches to be included within grub ?

In addition : some people are saying here we have to chroot to reinstall grub, some are saying we do not have to…
This is confusing to me, as well as reinstalling grub : maybe i am stupid too, but as those security patches are not yet included within grub (i am referring to the beginning of @nightmare-2021 saying there are still pending…). Why do we have to reinstall grub now ?

You’re right - thanks for the hint.
I’ve changed it in my post.

in case chroot with luks & EFI

ok… maybe i am just stupid. I have read this 4 times now and fail to understand how disabling os-prober is supposed to mitigate this vuln? (besides that windows is a virus :smiley: ) Also, dont you have to have physical access to the pc? If that is the case, I dont think my wife and daughter are the hacker types. To me this is an overreaction. But maybe i am just missing the point here or missing a piece of information. As for having to chroot to reinstall grub, i reinstall grub everytime windows pukes on the bootloader. Not once have i had to use chroot. The documentation tells you how, but not why.


Case closed :clap: