Hello again with another warning,

This article is an important tangent to my previous warning
about Microsoft's "Secure" Boot logic-bomb terrorism
against libre software, impending on 2025-09-11. [1]
It is something that I come to know about for quite some time now;
but didn't think to write a PSA on them, until now.

It happened that ~rdlmda had read my 9/11 warning [1] and decided
to prepare to reboot into UEFI setup to check if the system was
going to be affected by that (and mitigate by changing UEFI setting,
if it was).

Like quite a lot of people nowadays, 'ey decided to let the GNU/Linux system (Linux Mint in this case) download and apply all the available
system updates; to avoid inconveniences of having to reboot to apply them
at later date.

But among the updates listed in the system, it also included updates
that would be installed by an unassuming program called "fwupdmgr";
and the latter shown in a list of notifications that there were some UEFI-related updates impending; so 'ey just confirmed them all and proceed.

This latter part was a big mistake.

As soon as the system was rebooted the first time after the update applied Instead of it booting into the familiar GNU/Linux system,
booting process stopped before reaching GRUB,
with a cryptic error message that was not easily web-searchable...

Because the firmware update was botched and resulted
in corrupted UEFI boot blacklist; failing the bootup process,
leaving the the machine in limbo. [2]

-----

Microsoft has been known to push out UEFI firmware (i.e. BIOS-flashing) "updates" through Windows Update [to mainboard manufacturers' full knowledge], that end up preventing dual-booting users to boot into GNU/Linux
or other libre OSes *all the time*. [3] Since these came via Microsoft's malware-disguised-as-an-OS, it's no-brainer to see what were hidden agenda behind such "automatic updates"-- which should have been
read as "universal backdoor".

But what many GNU/Linux users didn't know, is that corporate-backed distributions ship with direct analogs of that backdoor, which is probably running behind your back --without your knowledge-- for all this time.

Depending on the distribution in question, this backdoor is called
LVFS ("Linux Vendor Firmware Service") and fwupdmgr
("Firmware Update Manager").

What does they do? They query central remote database using unique identifiers (privacy breach, if you think of it) from your mainboard, as well as
many on-board peripherals or removable ones; then download their latest-and-GrEAteST firmware file for each device found
(all proprietary of course) then flash them semi-automatically
or automatically, depending on the distro...

And of course, these include UEFI firmware too, because bricking systems
on BIOS flashing gone wrong is their idea of FuN:

https://baronhk.wordpress.com/2023/09/18/the-linux-vendor-firmware-service-is-a-malicious-remote-backdoor-and-you-should-turn-it-off-now/

Let's be honest, you'd probably not randomly go find firmware files
to reflash your DVD drive, hard disk, network card, video card-- or worse, flash your mainboard's UEFI/BIOS on a whim; because you know that
these are risky businesses, and if that toasted your peripheral
or bricked entire machine; you often have no way to recover.
If it ain't broke, don't fix these.

Then here comes LFVS/fwupdmgr which do just that, either automatically
without asking you, or trying to manufacture your consent by hiding that
in a big pile of system updates; in the same manner as bad representatives sneaking bad laws into a routine legislation like USA-congress'
budget reconciliation process... [4]

It is important to realize that running libre OSes is treated as "off-label" usage by computer manufacturers-- most of which are in complicated love-hate semi-subservient relationship with Microsoft through Windows OEM
license agreements. Via coercion or persuasion (read: sweet money),
it is only the matter of time that they would push UEFI firmware "update"
which intentionally or unintentionally [5] brick our libre systems,
while allowing Microsoft Windows (which they treat as "on-label" [6] use)
to run undisturbed.

When you have tested and confirmed that your hardware setup was GNU/Linux-compatible, don't let the manufacturer retroactively
take that away from you through such universal backdoor. [7]
It's a blatant destruction of your property.

I find it egregious that some GNU/Linux distributions are nonchalantly preinstalling these programs and let them automatically run out of the box.

Incidents that happened to ~rdlmda, ~NeoRoll [9], and many people
before them [3], are fully preventable. Don't let such thing happen to you.
You all know that having a daily-driver computer becoming
suddenly unbootable is not fun.

Remove, or at least disable these backdoors now;
don't say that I didn't warn you.

Fingers crossed,
~xwindows


[1] "Your GNU/Linux PCs with UEFI "Secure" Boot would no longer boot
past 2025-09-11" [2025-09-04T11:39:46Z]
<news:b9363811-51e8-4853-a407-770f43d58431@tilde.club>
<nntp://news.tilde.club/tilde.meta/714>
<https://tilde.club/~xwindows/tools/netnews/groups/?tilde.meta/714>

[2] See #gopher channel on Tilde.chat IRC network on 2025-09-06T11:45Z.

~rdlmda eventually managed to fix this several days later
by going into UEFI setup screen, open a section responsible for
a cryptic-sounding "DBX" database (an intentionally-confusing jargon
that means "UEFI boot blacklist"), then choose to clear the database.

This was a better case where it was fixable, because the machine
had a proper UEFI setup menu with all the options;
something that many consumer-grade laptops don't have.

[3] http://news.tuxmachines.org/n/2024/08/21/Good_Reason_to_Delete_Windows_Not_Dual_Boot_and_Call_Out_the_Mi.shtml

[4] https://www.404media.co/republicans-try-to-cram-ban-on-ai-regulation-into-budget-reconciliation-bill/
or the following, if you can't get past the member-wall:
https://archive.ph/20250514130643/https://www.404media.co/republicans-try-to-cram-ban-on-ai-regulation-into-budget-reconciliation-bill/

This particular part was, thankfully, eventually removed
in the senate stage of legislature process:
https://apnews.com/article/congress-ai-provision-moratorium-states-20beeeb6967057be5fe64678f72f6ab0
^ Warning: ClownFaire-walled

[5] Through lack of testing, neglect, incompetence, and countless
other causes.

While some people might have urge to quip Robert Hanlon's
adage of "never attribute to malice that which is adequately explained
by stupidity"; I would rather say "follow the money", because
"it's accident" is an easy excuse that is often used by corporations
for covering up sabotage motivated by perverse incentive, monetary force,
or conflict of interest.

[6] Literally. If in doubt, look around your computer's case,
the box that your computer originally came in, or the box that
your mainboard originally came in: it's almost certain
that you would find at least one well-known symbol of either 4-segment
multi-color flag or colorless oblique silhouette of somebody's 4-segment
glass pane there.

[7] Do not ever forget Sony PlayStation 3's OtherOS fiasco.
Even that Sony eventually had to pay "compensation" settlement
($10/claimant peanuts [8]) nearly a decade after the remote-removal
of a function which they originally advertised on sale...
the OtherOS function was never officially reinstated,
and most of the affected users never got their data in that OtherOS
partition back.

[8] https://inkbunny.net/j/337024-Waccoon-finally-got-it-jackpot-

[9] See #meta channel of Newnet.net IRC network at 2024-05-17T23:30Z.
--
xwindows' gallery of freely-licensed artworks
https://tilde.club/~xwindows/ http://tilde.club/~xwindows/ gopher://tilde.club/1/~xwindows/
--- Synchronet 3.20a-Linux NewsLink 1.2