With the recent Windows updates rolled out on August 13, a notable disruption has emerged for users of various Linux distributions. Specifically, certain Linux installation media are now unable to boot due to the blocking of outdated boot loaders. This issue has particularly affected the current Ubuntu 24.04 LTS and its derivatives, such as Desinfec’t.
Security Measures and Their Implications
The root of the problem lies in the security measures implemented by Microsoft. Previous updates had already introduced blacklist entries in the Secure Boot DBX database, which prevented the booting of Linux systems with boot loaders deemed insecure. The latest updates, identified as KB5041571 and KB5041580, have introduced the Secure Boot Advanced Targeting (SBAT) feature, developed by the open-source community. This enhancement aims to address memory limitations in the BIOS of certain motherboards, which struggle to accommodate the DBX database containing signatures of vulnerable boot loaders.
Under the new SBAT framework, the Linux boot loaders Shim and Grub are designed to recognize when secure boot is compromised, leading to their failure to operate. While this update optimizes the size of SBAT blacklists, it does not eliminate the ongoing dependency on Microsoft for the certification and signing of the Linux boot loader Shim for Secure Boot. Consequently, only boot loaders from trusted sources, predominantly Microsoft, can be executed under Secure Boot. However, the introduction of SBAT allows for the disabling of faulty boot loaders without necessitating new entries in the DBX blacklist.
Scope and Impact
As for the scope of the impact, it remains somewhat unclear which systems and distributions are experiencing these boot issues. Microsoft has indicated that the update “does not apply to systems that dual boot Windows and Linux.” Nonetheless, reports are surfacing that suggest Linux boot sticks may also be affected on systems with parallel installations. In contrast, tests conducted on some systems reveal that Ubuntu 24.04 LTS continues to boot without incident. Importantly, Linux installations already residing on hard drives or SSDs will continue to function normally, provided the latest updates have been applied.
Waiting for New Images
To rectify the situation regarding outdated boot loaders, affected distributors will need to update their installation media, a process that may take several days. Alternatively, users have the option to disable Secure Boot on their devices; however, it is crucial to first document or print the Bitlocker recovery key. This precaution is necessary because encrypted Windows installations may react adversely to changes in Secure Boot, potentially prompting a request for the recovery key upon the next startup.
