Linux users hit by a Windows update bug in dual-boot systems – UEFI secure boot error prevents booting.
In a recent Windows update released by Microsoft on Aug-13, 2024, a problem was discovered that prevents Linux systems installed on the same computer from booting alongside Windows. This issue is caused by a fix for an old vulnerability (CVE-2022-2601) in the GRUB bootloader that was patched in 2022.
The update, which was intended to enable the new SBAT (UEFI Secure Boot Advanced Targeting) policy, was initially stated to only affect Windows-only systems and not dual-boot configurations. However, it has been reported that the change blocked the ability to use boot images with the old GRUB to bypass Secure Boot on Windows-only systems, causing problems for dual-boot users running newer Linux distributions such as Ubuntu 24.04 and Debian 12.6.
The problem manifests itself by stopping the boot process with the message "Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation".
To restore operation, it is recommended to delete the SBAT data installed in UEFI. This can be done by disabling Secure Boot in the firmware, loading a fresh Linux distribution with UEFI Secure Boot support, running the command "mokutil --set-sbat-policy delete" in the console, and then rebooting the Linux distribution to install the correct SBAT policy. After that, Secure Boot mode can be returned in the firmware.
SBAT, developed by Red Hat in collaboration with Microsoft, is a metadata system that includes information about the manufacturer, product, component, and version. This metadata is digitally signed and can be separately included in the lists of allowed or prohibited components for UEFI Secure Boot. SBAT allows for the blocking of vulnerabilities without revoking the digital signature, which is a significant advantage over the previous method of using the UEFI certificate revocation list (dbx).
Remembering the CrowdStrike outage, this time, Microsoft did not fully test the update and applied it to systems to which it should not have been applied, while the developers of some Linux distributions did not update the GRUB bootloader and the SBAT generation number when vulnerabilities were discovered in GRUB.
So, if you are running a dual-boot system with Linux and Windows, keep a watch on the Windows updates.
If you are affected, a detailed workaround available on these pages:
- https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996
- https://askubuntu.com/questions/1523438/verifying-shim-sbat-data-failed-security-policy-violation
Recent articles from DebugPoint.com
- Xfce 4.20: Best New Featureson January 4, 2025
- Cinnamon 6.4 Brings Visual Overhaul: Key Featureson December 9, 2024
- elementary OS 8: 10 Best New Featureson December 2, 2024
- Creating Your Own Home Lab: Essential Setup Tips for Tech Enthusiastson November 26, 2024
- Upgrade to Fedora 41 from Fedora 40 Workstation (GUI and CLI)on November 4, 2024