In a recent turn of events, a Windows update from Microsoft has inadvertently caused significant disruptions for users who dual-boot Linux alongside Windows. Reports have surfaced detailing error messages such as "Verifying shim SBAT data failed: Security Policy Violation" and "Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation." These issues are affecting a variety of Linux distributions, including Ubuntu, Debian, Linux Mint, Zorin OS, and Puppy Linux.
Understanding the Update's Impact
The update was initially intended to address a vulnerability that allowed malicious actors to circumvent Secure Boot, a security feature designed to prevent unauthorized firmware from loading during the boot process. To implement this fix, Microsoft introduced an SBAT (Secure Boot Advanced Targeting) update. However, this update was not meant for dual-boot systems, leading to the current complications.
While Microsoft has not yet publicly commented on the situation, a workaround has been identified for Ubuntu users facing these issues. The following steps outline the solution:
- Access the BIOS and disable Secure Boot (the method for doing this varies by PC manufacturer).
- Log into a user account that has sudo privileges.
- Verify that Secure Boot is disabled by executing the command
mokutil --sb
. The expected output should read SecureBoot disabled. If this message does not appear, reboot and check the BIOS settings again. - To manually remove Microsoft's SBAT Policy, open a terminal and enter the command
sudo mokutil --set-sbat-policy delete
. After executing this command, reboot the machine and log back in with the same user to update the SBAT policy. - Finally, reboot the machine once more, return to the BIOS, and re-enable Secure Boot.
This incident is not isolated; the past year and a half has seen multiple vulnerabilities that could compromise Secure Boot, allowing for potential injection of malicious code during the boot process. Despite the lack of a formal response from Microsoft, the company previously indicated in its bulletin for CVE-20220-2601 that the update should not affect dual-boot systems. However, user experiences shared on platforms such as Framework, Reddit, and the Linux Mint forums suggest otherwise.