Saw a lot of people get nailed by this in the Framework community. On the flip-side, if you eschew Microsoft products completely, I've had a really good experience (for the most part) using Secure Boot with custom keys on Linux on my Framework 13 AMD laptop. I am using Arch, and have it setup to build UKIs that are signed automatically via a post-build hook using `sbctl` and EFI booting using systemd-boot. As much as I generally dislike SystemD, if you go all-in on it, it does work relatively well on modern hardware.
Shim is really only required on Linux when dual-booting, and really only because the entire Trusted Computing Platform architecture is not user-centric and is designed around the needs of Microsoft more than any other entity. But because they at least paid lip-service to users, you have the ability to just eliminate Microsoft keys entirely on your system and go all-in on custom Secure Boot w/ Linux. I am hard-pressed to find a reason for any moderately technical user to still be running Windows in 2024, as most important productivity tools are primarily or at least optionally web-based, and Linux is significantly better in every other capacity.
This is another reason not to do dual-boot, but to just use Linux.
Here's a good litmus test for a company we're considering joining: do at least their engineers (if not their PowerPoint+Excel biz people) use Linux for their laptops, not only for their servers? If they do use Linux, I'm just going to assert that they're likely more clueful than average.
Similar with startup hiring. Two options for this: (1) give a resume-screening boost to people who seem to have bought into Linux; or (2) announce in your job posts that the company pragmatically uses Linux for everything, to attract people who see that as clueful, and scare away a lot of others.
(Unfortunately, #2 also alienates some mostly-clueful people who really like Macs, and maybe even some clueful people who, through some cruel accident of history and gaming rigs, only know how to do Windows.)
(Actually, even more than Linux, I suspect that a startup using a BSD would probably be more technically clueful than the average Linux shop. Because some fringe tech seems to attracts the smartest and/or best-motivated techies disproportionately. But I'd say Linux is a sweeter spot overall for more startups.)
This is a terrible way to evaluate companies/people, and it comes off as a “Linux person” who refuses to understand why companies use Windows.
The fact is that Windows has leagues more control features (Group Policy, etc.) than Linux does, and those features are required for any kind of sane management of an IT landscape, and are also required in many industries for compliance reasons. And no, Ansible etc. is not the same thing.
The better way to evaluate is to discuss why they chose that tool for any particular job. Linux is often the right answer for servers, and Windows often the right answer for end user computers. But there may be cases where a specific case is better suited to a different tool.
every year i think, damn this linux desktop has been great for a while now! oops now i am getting full computer lockups worse than i have ever seen on windows even:
i dont know if this is : some recent intel microcode affecting 11gen somehow? wayland gnome? tracker-miner-fs3 3500 sql errors per second... is this the problem or symptom? ubuntu delaying 24.04 updates from 22.04... guess i just wait a month in case that helps, did upgrading my framework bios make it worse or better? it happens to be more common when opening youtube tabs... is this some kind of malicious youtube vs uBlock war bullshit? NO idea how to troubleshoot this kind of low level full lockup that i haven't learned in 20 years of linux experience (not enough desktop experience i guess)
On the plus, i did learn about alt+print-screen+ (R E I S U B ) which is a horrifying thing to remember, let alone need to use it
It's high overhead, but having a VM just for Excel isn't that insane. Performance differences these days are negligible, and if you are just using Excel I doubt it's that much of a problem. There is also Google Sheets.
For planning, Jira is king and available as a web app.
Maybe even a reverse litmus test. You can't go full-Linux and ignore Windows, otherwise you'll become illiterate in the most used consumer desktop OS after a few years when Microsoft messes it up even more :P
Becoming a Linux user is great, becoming a Linux/Windows/Mac/TempleOS/etc. zealot is not.
You take that back, TempleOS is obviously the best computer system. No networking is a true blessing, and the 640x480 is undeniably crisp and far more practical than 1920x1080. And do I even need to mention the elephants?
GP said their engineers; I absolutely sympathise with not wanting to work somewhere with mandatory Windows, I might forget to ask, but I can't/am unwilling to work like that. MacOS I can get by with, but in web software engineering at least I would say Windows is unusual, and being someone who 'refuses to understand why' a company would force its engineers to use Windows is not going to be that restrictive for someone in that industry.
It's my primary tool really, and it affects all the others!
I think that's a pretty weak
heuristic, and you'd be venting yourself the chance to work at quite a few excellent places to work if you poo-pooed them because the developers don't all run Linux.
For me, though, if they won't let me run Linux, then I won't work for them.
Lots of hate on Microsoft for doing this, but SBAT was made exactly for this reason: To deny boot loaders with known vulnerabilities to boot an operating system that might not be the one you think.
Might as well disable secure boot if that's not a concern, or make sure the boot loader is up to date if dual booting Windows 11. I can't imagine new machines shipping without SB.
Genuine question. What's the practical difference between duel-booting and running Win-11 in VM?
I understand there's some performance differences, obviously. And VM requires perhaps a bit more setup and understanding.
However, is it reasonable to VM Win-11 to mediate SB concerns AND be able to have access to basic windows software and services since they're used a lot by industry and universities?
i.e. that is I just need access to Onedrive and MS office for the most part.
GPU passthrough should work for a lot of cases. The games that are most likely to have problems are the ones with draconian drm or anti cheat. I avoid those, so protón tends to work for me anyway, so I don’t bother with windows.
This isn’t technically required, but does make things easier (search “single gpu passthrough). However, an integrated gpu for the host + separate gpu for guest for games is also an option and many modern AMD systems come with an integrated gpu.
> A monitor with two inputs or multiple monitors.
That’s not really necessary, you can use a hdmi splitter or just plug the active gpu in (I mean, if you’re dual booting you can only access one system at a time, so shouldn’t be an issue — you can plug an extension cable into your monitor so that and have a dedicated cable for each gpu, that way you don’t need to mess with plugs at the devices — I actually did this for a while to share my monitor with a games console)
Yes, it’s not the simplest thing to set up, but it does avoid the issues down the OP while still allowing gaming.
Personally, I never bothered because everything I want to play works on proton.
It prevents Windows from running under it's own hypervisor, which it does to provide additional security (some configurations allow certain crypt operations to happen "outside" Windows).
It would work great if NVIDIA, AMD and Intel made high end consumer GPU's that could be shared between host and guest. So far we can only share Intel iGPU's - at least on paper, because I haven't managed to make it work.
... Or hack NVIDIA gpu's and potentially brick your 2000$ card...
It all boils down to- is there someone, who is willing to put in the money to review available boot options, manually.. cause if that is not the case. Might aswell deactivate secure-boot.
As someone who remembers 1990-2000, I'm always amazed that these little bugs always seem to just randomly favor Microsoft. It's kind of miraculous, really. A Windows update roaches the Linux part of dual boot. How about that, nothing could be done.
Hanlon's razor comes to mind, but it seems like a huge oversight for Debian and Debian-based distros like Ubuntu and Mint to break. That's a large proportion of the Linux userbase. I wonder if this affects Debian more generally or does the installation method matter?
I am a bit curious how exactly Microsoft planned to identify that a machine was dual booting linux.
Looking for certain files on a random partition? A list of distros and versions? A partition type? Anything seems to be error prone and likely to miss something.
Maybe port `os-prober` to Windows? Has been a relatively stable solution for me for probably decades at this point, and hasn't missed anything yet, but maybe I'm not doing enough esoteric setups.
Based on the article, but I’m still not sure if this is the case, it seems like they checked for a specific shim(s), which would be on the EFI partition that everything shares.
I wonder if they were checking for extra entries in the Windows boot config database instead (i.e. Windows chain loading grub), but most people go the other way?
i’m just so over microsoft. mac is expensive, but otherwise great. nixos is awesome. have to use a windows vm for work, but thankfully IT deals with it. when microsoft launched wsl, I thought it would be amazing, but all their forced bing integration has driven me nuts and i’m out on them.
Every Mac I've used for the past 5 years haven't been expensive. I switched away from Windows 5 years ago, and not looking back. Heck, some of the video cards for Windows costs more than my entire system here.
If the base model will work for you, then it can be super cheap, but when you need upgrades, it gets expensive super fast.
I’m optimistic that the M4 chip based Macs will have better IO across the line and better RAM specs for AI, and overall not get us sucked into upgrades for no purpose. If you use multiple displays, you basically have to get pro or ultra chips, but rumor is M4 will offer way better options in this regard with more display engines and thunderbolt ports.
I'm on nixos but honestly tempted to move to mac and nix. I love Nix as an idea and it's flawless for me most of the time, but that little friction i get trying something new is a bit of a pain.
Nix is so awesome. I use Claude ai refactor parts of my os into modules so I can just turn them on and off and it does an awesome job!
My concern with using Nix on Mac is that the uninstall is not as good so you can’t just comment out something and the Mac will just eliminate it from your system and it will be gone, but I’m considering switching to Nix darwin as well. Let me know how it goes for you!
Oh i've been using Nix on mac for quite a while. Not sure about the uninstall, but recently i did a fresh macbook install and used the Determinate Systems Nix Installer[1]. I haven't tried uninstalling, but installation was a joy by comparison to the traditional way (and poor documentation).
When I said uninstalling, I mean the way you can just comment out a program in the configuration file on a nix system and poof it is no longer installed in your system and it’s like it was never installed at all.
Ah, that happens with Nix Darwin too. It's otherwise a full Nix install.
Note though that i'm not sure how well it integrates with Mac as a Desktop. I've not tried it to install desktop apps. I only use it for term oriented apps/libs/etc, and for that it works as you'd expect.
Not sure what the best possible Nix UX is for Mac desktop apps.
> but for unclear reasons, Microsoft patched it only last Tuesday
I think it's obvious why Microsoft has only recent patched the issue: because Linux distros really lag behind on se curie issues like these. Hence the warning some people receive: they're still using a vulnerable boot configuration that was fixed two years ago.
The impact of these patches is minor for most consumer devices, but for corporate environments where IT may need to go around entering Bitlocker recovery keys in some edge cases (and where recovery media needs to be made using a recent ISO or it won't work), people need a reasonable time to prepare.
Because last time I installed MS-Windows 10 it had the most beautiful unlimited blinking cursor in the corner and nothing else. Until I installed GRUB from a GNU+Linux live CD whose root fs wasn't an actual device and that broke grub-probe. But fortunately grub-mkconfig is a shell script.
I don't know why it failed but it did and Grub saved the day.
In my opinion there is no reason for using GRUB for any purpose.
I have considered it obsolete and I have stopped using it more than a decade ago.
For the purpose of booting multiple operating systems on the same computer, including with multiple versions of the Linux kernel, I just keep a set of small USB memories, one for each operating system that I want to boot, which are formatted with FAT32 and which contain, in the case of Linux, the kernel, the initramfs file and syslinux to boot them.
This is much safer and much more foolproof than having a multiple boot configuration on the computer, which can be damaged by Windows at any time.
Even for people who do not want to boot from external memories, GRUB is not needed, because now multiple boot can be done from the UEFI menu, which can boot directly a Linux kernel without any extra boot manager.
Syslinux? Has that been ported to efi? I have one machine, maybe a year old, that won't boot legacy bios anymore. Edit: yes, apparently there is a kind of barebones UEFI port.
In that scenario syslinux is doing the work of grub. There is nothing about grub inherently saying you need to multiboot with it.
There is a limit to how much time I want to spend learning how to do things like that, and then configuring and dealing with a broken system when my exploration goes awry. It's a valid reason.
This is great when you completely discount almost all gamers or people doing graphical work? Proton is only so good and many games are still completely broken.
We'll come back with 'We don't pay monthly subscription models for shady companies like adobe who then charge you a large fee just to cancel your monthly subscription fee to use photoshop' there's cool things like photopea, but yeah there's no rebuttal for Windows only and Windows-specific made software.
To each their own. I'm rooting for linux desktop to be the future though. For gamers, for photo editors, artists. All of us.
> Adobe softwate is best we have on market on audio-visual production.
It's good, but besides Premier I really don't think many of Adobe's products are hot shit nowadays. You can do most of the same compositing you do in Sony Vegas with Blender and Davinci Resolve; today's tools are diverse enough that you don't need Adobe. And for music production and photo editing, I don't even think Adobe is a competitor. Affinity Photo eats Photoshop's lunch, and everyone else that wasn't going to pay for a photo editor can use GIMP or Photopea.
Unless you explicitly work at an Adobe-only shop, I really see no reason to continue using modern Adobe products. The value is just so bad compared to what you can buy elsewhere.
Adobe product has dynamic-links between each others, so you can easily make cut in Premiere, motion graphic in After Effects with assets from Photoshop, sound and music in Audition and all changes are visible instantly in one project.
For photography unfortunately all other editors are impractical, except Capture One which has even worse price policy.
Don't let me start with collaboration with other studios or plugin compatibility.
While Affinity might be true alternative for Photoshop, InDesign and Illustrator, it is not compatible with linux.
Secure Boot can be leveraged to more securely boot anything you choose, but it does require some setup effort, so I get it if you choose to keep things simple (but less secure).
Shim is really only required on Linux when dual-booting, and really only because the entire Trusted Computing Platform architecture is not user-centric and is designed around the needs of Microsoft more than any other entity. But because they at least paid lip-service to users, you have the ability to just eliminate Microsoft keys entirely on your system and go all-in on custom Secure Boot w/ Linux. I am hard-pressed to find a reason for any moderately technical user to still be running Windows in 2024, as most important productivity tools are primarily or at least optionally web-based, and Linux is significantly better in every other capacity.