I thought I was safe from this if I installed windows on a completely separate harddrive… I clearly overestimated Microsoft’s ability to make on operating system that does not act like literal malware. Oh well! I guess I’m 100% linux now.
I thought I was safe from this if I installed windows on a completely separate harddrive… I clearly overestimated Microsoft’s ability to make on operating system that does not act like literal malware. Oh well! I guess I’m 100% linux now.
I can think of three ways that this could’ve happened without either OS being broken necessarily.
One is that you’re still on an MBR drive (maybe you upgraded from Windows 7?) which can only have one single bootloader. The drive you pick to install Windows’ (or Linux’s) files doesn’t necessarily determine the location of the bootloader in that case. With MBR, both Windows and Linux are right to replace each other.
If you installed an UEFI system, this shouldn’t happen. There is, however, some broken hardware that causes this problem. Instead of registering a bootloader into the system on a normal path (say /boot/efi/linux/grub.efi), it’ll only boot the install medium/fallback bootloader EFI file. Both Windows and Linux put their bootloaders in the fallback location for these broken devices so they work. In this case both Windows and Linux are right to update these files and the problem lies with your broken motherboard. This usually happens with older computers.
There is another possibility. Microsoft got their Secure Boot key leaked over a year ago, and they’ve slowly been rolling out key updates so malware can’t use their key to hijack Bitlocker and bypass Bitlocker. If your bootloader hasn’t been updated to have the modern signing keys, and Microsoft renewed their keys, the motherboard may reject the bootloader. As far as I know there are new shims available, but with you speaking of reinstalling the bootloader to fix it, this may also have happened. A workaround would’ve been to disable secure boot, update the bootloader once the system has started, and turn secure boot on again, but Linux doesn’t warn you about this problem.
Microsoft is right to revoke their long-leaked keys, and this is the whole reason keys can be updated in the first place. Unfortunately, good tooling for secure boot doesn’t exist in Linux. In my opinion, the user should only deal with this issue once, during setup, and Linux should manage user keys for its kernel already instead of relying on the user executing a bunch of complicated commands. A combination of secure boot and an fTPM (hardware TPMs should be considered compromised at this point) have the ability to bring Windows-like security mechanisms to Linux, but so far no distro seems to bother.
It’s also possible that your motherboard just got its bootloader config corrupted. Mine does that sometimes, it’s a real pain. Grub does it, Windows does it, it’ll just garble up the bootloader entries and fall back to the fallback bootloader which is a 50/50 chance of booting either OS, basically.
Interesting. Could you elaborate on that?
Basically, they all seem to either communicate over plaintext or have bugs that make them effectively communicate over plaintext. I think https://www.secura.com/nl/blog/tpm-sniffing-attacks-against-non-bitlocker-targets has a nice, short overview of the problems. fTPMs have had their troubles but firmware updates can usually resolve those.
So far, all attacks can be fended off by setting up a secure TPM PIN, but after so many issues, I’m not confident in hardware TPMs anymore.
Thanks, much appreciated!
It’s worth noting that this isn’t a bug in the tpm uhh 1.1(?) specification. It’s working as intended.
The system was designed to prevent compromises from software attacks and people yanking the hard drives, not keep an enterprising uart-haver at bay.
State level attackers were never the target of the tpm and neither were downwardly mobile highly educated individuals.