Hector Martin

I think that's in BIOS itself? You gotta disable safe boot or whatever. If you're having trouble accessing the option, you have to give your BIOS a password before it'll let you deactivate it.

that is not true. boot order is in EFI vars which, mostly for worse, means that self-centered operating systems can fuck with it. this is absolutely a problem on the windows side.

No, it depends. There are firmwares out there that rewrite the boot entries despite everything we out in section 3 of the spec, and some that delete things they don't recognize (or even dumber...). I wonder if any stop you from creating BootOrder as an authenticated var... ;)

*everything we /put/ in section 3. *sigh*

It's Windows. It happens when I boot Windows. After putting Linux back on top it stays there until some Windows boot decides to change it back. I don't even boot Windows from the BIOS menu, I chainload it from GRUB so I don't even *need* that UEFI boot entry.

then the shitty strategy proposed above and on the Arch wiki of using bcdedit to have the Windows entry load GRUB is probably your best bet :)

That won't work... Because I also boot this Windows install virtualized. And the *virtual* UEFI needs to have the Windows boot manager first, lest I accidentally boot Linux twice at the same time and corrupt everything. I just want it to stop touching my EFI vars :(

Hmm. What we need is a grub module that knows you're in a VM and let's you tell it to boot a different default when you are, so you can safely chain load without fear in the VM ;)