On Fri, 22 Sept 2023 at 08:55, Julian Andres Klode < julian.kl...@canonical.com> wrote:
> It's no secret that we ship a patch in Ubuntu to keep running > os-prober if the existing grub.cfg has os-prober entries in it to > avoid the regression, but the ship has sailed for Debian, everyone > has received the update by now, so introducing it again isn't helping > anyone (arguably the patch keeps it on if you install fresh but that > wasn't my personal decision). > > If you are interested in multi boot via grub menum, my suggestion would > be to invest the time to write the code to do os-probing from grub. The > most important piece - dual booting windows can be easily done by > checking if the correct windows files exist and then adding a boot > entry. > > Ultimately this is becoming less and less a priority for people because > it doesn't even work. If you have Windows installed in a normal setup, > it does its TPM based Bitlocker encryption, you won't be able to start > it via grub anyhow, but have to boot via the firmware menu. Same for > other OS, as we move forward to increasingly TPM encrypt OS, dual > booting only works without a foreign grub in the chain. > > What I do want to do is add a boot menu to grub to allow you to boot > other OS in the boot menu by setting BootNext and resetting the machine; > but I don't think there's much value to be had sinking considerable > resources into legacy boot multi booting. > > And yes, I want to also add that Windows detection, but I think that's > a reasonable level of regression for the security benefits. > > Alternatively if you feel you need os-prober because you install > multiple Linux distributions in a BIOS system, I mean, by all means > enable it and live with the risk or work to sandbox grub-mount, I think > it could just drop its privileges after opening the device and install > seccomp filters and whatnot. > Thank you for the comprehensive explanation. I'm glad that the problem was avoided for Ubuntu users. I am not a fan of TPM but accept that it is inevitable. I agree that your BootNext idea is better in that context. Good luck, CC
