Grub2 | Secure Boot Bypass and other issues - Update highly recommended

in case chroot with luks & EFI

ok… maybe i am just stupid. I have read this 4 times now and fail to understand how disabling os-prober is supposed to mitigate this vuln? (besides that windows is a virus ) Also, dont you have to have physical access to the pc? If that is the case, I dont think my wife and daughter are the hacker types. To me this is an overreaction. But maybe i am just missing the point here or missing a piece of information. As for having to chroot to reinstall grub, i reinstall grub everytime windows pukes on the bootloader. Not once have i had to use chroot. The documentation tells you how, but not why.

Case closed

Could someone explain why there is such a fuzz about this? As far as I know, “Secure boot” has to be disabled to be able to install Manjaro anyways? Did that change?

If not: Who gives a shit about a security issues that can bypass “Secure boot” if it’s not even enabled on your sys?

This:!!!

What am I missing?

That yesterday’s grub and os-prober update borked my grub. Instead normal screen all I saw was all black and the “Welcome to GRUB” on the center-right of the screen, as if it was peeking through a whole in a black curtain.
I do have dual-boot and the given command fixed the issue.

I’m confused a bit. Why the new default “security fix” is messing with the whole grub screen? Is that normal? Will this be affecting other users with dual boot or is it some anomaly on my side?

First I tried downgrades, didn’t help. So I was about to start a new support topic, then it hit me, I should check announcements and here it was, a lifesaver topic . Nevertheless, the update messed with my system, which shouldn’t happen.

I totally agree, i have had a black screen yesterday when booting, no grub menu. I use Manjaro for several months but the forum here only for 2 weeks so i could see the workaround.
But, I am thinking of people who use Manjaro but not the forum…very difficult for them.

But now, i am confused about this new announcement.
I do not understand what I am supposed to do:

1. Do nothing ?
2. Reinstall grub now ?
3. Wait for the security patches to be available with a new version of grub in the repo, then reinstalling grub ?
4. Forget grub and install another bootloader with less issues ?

I guess that I don’t know how to chroot or why to chroot. When I reinstalled grub it said it was successful? I don’t know what luks (disk encryption?) so I don’t have that either.

rEFInd life here

Is necessary to use chroot to reinstall grub in efi?

I am using EFISTUB

No, not at all.

New grub = no os-prober by default → no detection of other OSes → Manjaro Grub thinks there’s only Manjaro installed → no Grub menu shown in accordance with “silent Grub” concept. Enabling os-prober makes Grub menu visible just because now it knows there’s also Windows installed.

In brief, nothing. All people who don’t care about someone could access your PC / laptop are free to do nothing. However, all those who use SB to protect their systems against “evil maid” -like attacks should be quite concerned I guess. If you have corporate / personal secrets stored on your machine and you don’t want someone (criminals / government / competitors) steal it easily, you’d better update grub and enable Secure Boot protection using your own keys. Along with encryption, of course.

@openminded : Could you please tell me what do we have to do exactly ?

Updating or reinstalling Grub ?
I have the latest Grub package 2.04-21, so, it’s up to date no ?

Tell me if i am wrong : Now, what i have to do is :

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --recheck
update-grub

Is that right ?
In that case, does it mean that all security patches are already included in the Grub version i have (therefore the latest 2.04-21) ?

Thank you

Basically you’re right but I do not follow Manjaro’s Grub maintenance (since I don’t use Grub and don’t care about it), so I can’t tell you if they applied all security patches or not. I believe they did, @nightmare-2021 and @philm are good at it. Check this gitlab page and see with your own eyes.

But again, if you don’t have Secure Boot enabled now, then you may do nothing as you might be not that interested in this level of security.

@openminded
Thank you for your help, this is crystal clear now

I am thinking about reinstalling grub, is this necessary on a Encrypted Filesystem?

Tell me please, what’s inside your /boot/efi/manjaro directory.

My 2 cents: Having the default to NOT ENABLE OS Prober by default is wrong. Manjaro should continue to have OS Prober enabled by default, and make sure an update doesn’t remove a feature that people will need to search for and/or complain about.

If you dual boot with Manjaro, you do not want your access to Windows removed because of an update. This was not properly managed in my opinion.

I still don’t see the connection with the fixed vulnerabilities in GRUB, and the fact that all dual booting users now require to edit their GRUB config and update GRUB to have their other OS showing in GRUB. I don’t understand why the default is now to have OS Prober disabled in GRUB.

I went to my parents last weekend, and spent some time at a friend’s father house to update his Manjaro… told him he needs to do the updates when they come in the notification area… If he listens he now has no access to his Windows 7 installation, and I will need to go back to fix it. Just my story but I can imagine many, MANY people are currently in trouble because of this new default.

It may not be Manjaro’s fault if GRUB gets updated, but such a change in GRUB behavior should have been better thought on Manjaro’s side, and something should have been implemented to fix the upcoming issues automatically (detect if currently dual booting by looking at some files for example, and auto fixing GRUB config to continue dual booting without the need of seeking for a fix when it is ‘broken’ for the user, or even simply a prompt in the terminal to add the new config to GRUB to continue dual booting //EDIT and here I meant in the terminal, during update process, like there already are for many thing when they got replaced).

Yes yes yes Vladimir, but, the real question is…would you like a “door frame” that is solid or one that has micro-holes (from who knows what kind of bugs) and squeaky hinges so that, if and when you decide on getting a proper door installed – you know that it will be accommodated well? That sounded weird, but I believe it’s an apt analogy. Luks is good enough for me and I’m honestly surprised why more people don’t opt for it, especially on mobile systems. Maybe it’s the fact that most people are “reactive” in nature and only engage in preventative items after something indeed traumatic happens. Personally I’m looking to get rid of grub myself and carry around a boot loader on my person. It’s a known vulnerability (albeit physical access) that boot loader code (and the kernel image itself) can be tampered with while you are away.