Thursday, August 22nd 2024

Dual-Boot Linux Users Need to Update Systems Due to GRUB/SBAT Policy Changes in Windows

Multiple users have recently reported that the August 13 Windows 11 update causes issues with dual-boot Linux/Windows configurations. However, the issues are actually related to changes in UEFI Secure Boot Advanced Targeting (SBAT) policies. The issue stems from Microsoft enforcing SBAT and revoking old, exploitable certificates. Many Linux distributions use self-signed UEFI shims, which are no longer allowed due to known exploits. The new update revokes the SBAT certificates on affected, known exploitable versions of GRUB shipped with some Linux distributions. This can result in error messages like "Verifying shim SBAT data failed: Security Policy Violation" or "Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation." To resolve this issue, Linux users need to update GRUB or disable the SBAT policy on the Linux side.

It's important to note that this is not primarily a Microsoft problem, but rather a necessary security update that affects some Linux distributions using outdated or vulnerable bootloaders. For more information on SBAT revocations and the boot process, users can refer to the Ubuntu Discourse here. This problem particularly impacts software developers and gaming enthusiasts who rely on dual-boot setups. As always, it's good practice for users to back up their data before performing any system updates. Considering alternatives like using virtual machines is also a good choice for users relying on older Linux distributions.
Source: via Hardwareluxx.de
Add your own comment

53 Comments on Dual-Boot Linux Users Need to Update Systems Due to GRUB/SBAT Policy Changes in Windows

#1
Chaitanya
MS is a shell of its former self.
Posted on Reply
#2
Daven
Windows is dying. I recently switched to it from MacOS for my job. There are so, so, so many bugs, incompatibilities and poor UX experience. Again Windows is dying. MS is moving more towards its services in the enterprise and cloud space that Windows gets very little attention. I hope that a replacement OS from another provider can come as soon as possible and end this miserable product.
Posted on Reply
#3
DeathtoGnomes
So the fight with Linux has begun, will MS fix this or will they just say "oh well deal with it"
Posted on Reply
#4
CGLBESE
Damn! I recently moved to dual boot and everything is now done through my Linux installation (even gaming, thanks to Lutris and to Steam interest in Linux gaming).

I guess I will wait for a fix before getting the last few documents I haven't yet transferred... :-/
Posted on Reply
#5
rv8000
DavenWindows is dying. I recently switched to it from MacOS for my job. There are so, so, so many bugs, incompatibilities and poor UX experience. Again Windows is dying. MS is moving more towards its services in the enterprise and cloud space that Windows gets very little attention. I hope that a replacement OS from another provider can come as soon as possible and end this miserable product.
Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.
Posted on Reply
#6
Unregistered
Using Windows is like being stuck in an abusive relationship.
We pay MS and they give us crap, cull our data, and shove ads into their (paid-for) product.
Posted on Edit | Reply
#7
Daven
rv8000Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.
There is not a single ounce of truth in anything you just said.
Posted on Reply
#8
rv8000
DavenThere is not a single ounce of truth in anything you just said.
There absolutely is, I use Softplan on occasion for drawing coordination with an Architect, and what do ya know not supported on macOS. You can find hundreds if not thousands of more examples, but if you wanna pretend macOS or Mac has wider software support, you can keep on dreaming.
Posted on Reply
#9
xorbe
DeathtoGnomesSo the fight with Linux has begun
As an openSUSE user, Tumbleweed has managed to have its own share of secure boot issues along the way. Nobody seems to test the secure boot feature very well or in various configurations. I doubt it was intentional on MS' part.
Posted on Reply
#10
Daven
rv8000There absolutely is, I use Softplan on occasion for drawing coordination with an Architect, and what do ya know not supported on macOS. You can find hundreds if not thousands of more examples, but if you wanna pretend macOS or Mac has wider software support, you can keep on dreaming.
If only the whole world used Softplan as their one and only one software application, then I would be more receptive to what you are saying. Since it is not, many personal and professional uses of computers are moving to different devices and OSes since the days of 95% Windows OS share for internet connected devices. The transition cannot happen fast enough and I don't even think MS would care as they have pivoted away from the Windows OS business a few years ago.
Posted on Reply
#11
Wirko
Can users repair the boot loader themselves or do they have to wait for MS's fix?
Posted on Reply
#12
OneMoar
There is Always Moar
fix title please: issue is a Distro/GRUB problem not a microsoft one

the issue is that microsoft started enforcing SBAT and have revoked some old exploitable certificates
many distros use a self signed uefi shim which is no longer allowed due to exploits the new update revokes the SBAT cert on affected known exploitable versions of grub shipped with some distros.
discourse.ubuntu.com/t/sbat-revocations-boot-process/34996
updating grub or disabling the SBAT policy on the linux side will resolve the issue

tl:dr linux users need to update there systems before crying about microsoft
Posted on Reply
#13
KellyNyanbinary
Microsoft disables old, vulnerable bootloaders.

Linux users complain about their old, vulnerable bootloaders being disabled.
Posted on Reply
#14
_roman_
OneMoarfix title please: issue is a Distro/GRUB problem not a microsoft one
It's more an user issue I think.
When you are unable to know how the boot process is of your box, you are doing something wrong. Or you are just lazy to learn and read.

I came to the conclusion that I do not need a bootloader anymore with an efistub kernel with an UEFI based mainboard. wiki.gentoo.org/wiki/EFI_stub

ASUS X670-P Prime and MSI B550 Gaming EDGE WIFI have an error in the UEFI. When I did not set my efi stub kernel as first place, as default, it will be forgotten very often.

There are different ways to write uefi boot entires. I use: wiki.gentoo.org/wiki/Efibootmgr
efibootmgr is a tool for managing UEFI boot entries.

It is not a bootloader. It is a tool that interacts with the EFI firmware of the system, which itself is acting as a boot manager. Using efibootmgr boot entries can be created, reshuffled and removed.
--

Make backups. test restore the backups to see if your backup strategy works.

--
WirkoCan users repair the boot loader themselves or do they have to wait for MS's fix?
Assuming you know your bootprocess. this was always possible since linux kernel version 2.0.0. I do not know before that point.

--

I think the hole issues is about Secure boot Option and outdated certificate. The author may look into in more detail and update the news post please.
Posted on Reply
#15
umeng2002
When will we get dual BIOS motherboards?
Posted on Reply
#16
AleksandarK
News Editor
OneMoarfix title please: issue is a Distro/GRUB problem not a microsoft one

the issue is that microsoft started enforcing SBAT and have revoked some old exploitable certificates
many distros use a self signed uefi shim which is no longer allowed due to exploits the new update revokes the SBAT cert on affected known exploitable versions of grub shipped with some distros.
discourse.ubuntu.com/t/sbat-revocations-boot-process/34996
updating grub or disabling the SBAT policy on the linux side will resolve the issue

tl:dr linux users need to update there systems before crying about microsoft
Thanks! I re-did the article with new info, so now updated!!!
Posted on Reply
#17
marios15
rv8000Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.
Don't worry. Microsoft is making sure that "universal support for software" is going away with all their changes.
Posted on Reply
#18
CGLBESE
AleksandarKThanks! I re-did the article with new info, so now updated!!!
Then it's a total different story...

Thanks for the update (and thanks to all that pointed the root cause out)
Posted on Reply
#19
lexluthermiester
AleksandarKHowever, there issues are actually related to changes in UEFI Secure Boot Advanced Targeting (SBAT) policies.
My response to this is: Someone please take Windows away from microsoft so we can have sensible solutions to problems and proper progression forward that serves the needs of the user FIRST..
Posted on Reply
#20
R-T-B
lexluthermiesterMy response to this is: Someone please take Windows away from microsoft so we can have sensible solutions to problems and proper progression forward that serves the needs of the user FIRST..
This was literally revocation of known exploited keys. I'm unsure how else they COULD have handled it. Ignoring that these keys were compromised was not really a sane option.
Posted on Reply
#21
HughMungus
I have a feeling when SteamOS officially launches their desktop OS that Windows will take a bit of a hit.
Posted on Reply
#22
_roman_
R-T-BThis was literally revocation of known exploited keys. I'm unsure how else they COULD have handled it. Ignoring that these keys were compromised was not really a sane option.
It would be enough to just make big non clickaway pop up messages.

Windows 11 Pro annoys me very often with messages like "USe a microsoft online account" and other nonsense. That code exists. Just reuse it with a changed text.

Microsoft coders are most likely stupid. Destroying data. Someone who destroys data is stupid. Fact. Someone who writes code which destroys data is stupid. There used to be install dialogs with text. And warning text, do not click here, else ... may render your box not bootable and such.

I dislike "Linux" .... etc. in the article. That is wrong. It should be named. Ubuntu has an issue with outdated bootloader with activated Secure boot option. Assuming that this is the fact here. All those text and ubuntu page is not really clear, what the issue is. This also shows that ubuntu responsible text writers do not know where and what the issue is.

My Gentoo Linux is not affected. I also use a linux kernel in the efi-stub kernel variant. With another userspace and another toolchain. Assuming the date of the article is correct, my box was not "ruined" by the last windows 11 pro update i did a few days ago. Than I activated the 5 weeks no update option.

People forget. It is not a linux issue. It is a bootloader issue. And that is an userspace issue. And that is not linux related. Because it is not the linux kernel itself.

In comparison, when we talk about windows, we usually mean the hole package, windows kernel, hole operating system with the "userspace" and provided software and bootloader

Feel free to go to kernel.org and download. Read the gentoo handbook or the arch linux install guide. Read and understand the boot process please. Read lilo, grub 1 or grub 2 docs to understand what a bootloader does.
Posted on Reply
#23
Tahagomizer
"A necessary solution to ensure security". I'm sure I read those words in a book concerning mid-XX century European history. Or was it a book about USA government drugging and poisoning own citizens?
In any way, it's a good practice to first warn users about an update potentially making many systems unusable, at least for a while. But, Microsoft being a company run by monkeys mindlessly chanting "AI", is obviously not privy to revolutionary ideas like "good practices". A week's notice would not compromise security much further but would save some headache.
Posted on Reply
#24
GoldenX
Never share an EFI partition with Windows. This has been the case since Windows 8 got released.
Posted on Reply
#25
Zareek
Double-ClickUsing Windows is like being stuck in an abusive relationship.
We pay MS and they give us crap, cull our data, and shove ads into their (paid-for) product.
I love that analogy!
TahagomizerIn any way, it's a good practice to first warn users about an update potentially making many systems unusable, at least for a while. But, Microsoft being a company run by monkeys mindlessly chanting "AI", is obviously not privy to revolutionary ideas like "good practices". A week's notice would not compromise security much further but would save some headache.
Get out of my head!
HughMungusI have a feeling when SteamOS officially launches their desktop OS that Windows will take a bit of a hit.
Yes please! Although, that might only add to my biggest gripe with Linux, segmentation. If everyone just came together and made one unified Linux desktop distro, it could run circles around Windows. It already does as a server OS.
Posted on Reply
Add your own comment
Dec 22nd, 2024 01:03 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts