Recently, Microsoft released a Windows update that accidentally crashed a wrecking ball into systems that dual-boot Linux. This wasn’t supposed to happen but Linux users who dual-boot Linux and Windows are seeing “Verifying shim SBAT data failed: Security Policy Violation” and “Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation” errors.
This issue is affecting Ubuntu, Debian, Linux Mint, Zorin OS, and Puppy Linux.
Also: This lightweight Linux distro is the best way to revive your old computer. Here’s how
The update was issued to resolve a vulnerability that allowed bad actors to bypass Secure Boot (which is there to prevent malicious firmware from being loaded during the boot process). To achieve this, an SBAT (Secure Boot Advanced Targeting) update was applied. That update was not supposed to be applied to dual-boot machines… but it was.
Although Microsoft has yet to comment on the issue, there is a workaround for Ubuntu users. Here are the steps to solve the problem.
- Disable Secure Boot in the BIOS (how this is done will depend on your PC make and model).
- Log into a user account with sudo privileges.
- Ensure that Secure Boot is disabled with the command mokutil –sb (the output of the command should be SecureBoot disabled. If you don’t see that message, reboot, access the BIOS, and make sure Secure Boot is disabled).
- To manually delete Microsoft’s SBAT Policy, open a terminal window and issue the command sudo mokutil –set-sbat-policy delete. Reboot the machine and log back in with the same user to update the SBAT policy.
- Once you’ve done this, reboot the machine, access the BIOS, and re-enable Secure Boot.
<!–>
This isn’t the only issue to affect Secure Boot lately. The last year and a half has seen four vulnerabilities capable of neutralizing Secure Boot such that malicious code could be injected during the boot process.
Also: 10 Linux keyboard shortcuts I depend on for maximum efficiency
Microsoft has yet to address the issue publicly but it did state (in the bulletin for CVE-20220-2601) that the update won’t apply to systems that dual-boot Windows and Linux. Clearly, it was wrong about this, as you can read accounts of the issue on Framework, Reddit, and the Linux Mint forums.
–>
Source: Robotics - zdnet.com