Thursday, August 22nd 2024

Dual-Boot Linux Users Need to Update Systems Due to GRUB/SBAT Policy Changes in Windows

by
AleksandarK
 Discuss (53 Comments)
Multiple users have recently reported that the August 13 Windows 11 update causes issues with dual-boot Linux/Windows configurations. However, the issues are actually related to changes in UEFI Secure Boot Advanced Targeting (SBAT) policies. The issue stems from Microsoft enforcing SBAT and revoking old, exploitable certificates. Many Linux distributions use self-signed UEFI shims, which are no longer allowed due to known exploits. The new update revokes the SBAT certificates on affected, known exploitable versions of GRUB shipped with some Linux distributions. This can result in error messages like "Verifying shim SBAT data failed: Security Policy Violation" or "Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation." To resolve this issue, Linux users need to update GRUB or disable the SBAT policy on the Linux side.

It's important to note that this is not primarily a Microsoft problem, but rather a necessary security update that affects some Linux distributions using outdated or vulnerable bootloaders. For more information on SBAT revocations and the boot process, users can refer to the Ubuntu Discourse here. This problem particularly impacts software developers and gaming enthusiasts who rely on dual-boot setups. As always, it's good practice for users to back up their data before performing any system updates. Considering alternatives like using virtual machines is also a good choice for users relying on older Linux distributions.
Source: via Hardwareluxx.de

Related News

Add your own comment

53 Comments on Dual-Boot Linux Users Need to Update Systems Due to GRUB/SBAT Policy Changes in Windows

#26
R-T-B
_roman_It would be enough to just make big non clickaway pop up messages.
Talk to UEFI secure boot implementarions then because no such facility exists in any UEFI anywhere. In other words you are asking for something Microsoft can't even provide.
Posted on Reply
#27
A Computer Guy
CGLBESEDamn! I recently moved to dual boot and everything is now done through my Linux installation (even gaming, thanks to Lutris and to Steam interest in Linux gaming).

I guess I will wait for a fix before getting the last few documents I haven't yet transferred... :-/
These days I handle dual boot by swapping disks in my hot swap bay - problem solved!
Posted on Reply
#28
Darmok N Jalad
rv8000Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.
As more stuff goes web-based, that support is unnecessary, and honestly what MS seems to be pushing for, even in it's own suite of apps. Office on a web browser is looking an awful lot like Office the standalone suite. At my workplace, we appear to migrating away from a lot of software that is dependent on a particular platform. You'll always have some outliers, sure, but I can do a lot of my job through a Chromium browser in Linux, and a lot of other things with Office apps on an iPad. We've come a long way for sure. I think this is why Windows is in the state it's in (telemetry, ads, partners), because they know its dominance has diminished substantially in the last decade.
Posted on Reply
#29
Solaris17
Super Dainty Moderator
Does this actually affect the bigger distros that have keys MS has blessed like Ubuntu?
Posted on Reply
#30
lexluthermiester
R-T-BThis was literally revocation of known exploited keys. I'm unsure how else they COULD have handled it. Ignoring that these keys were compromised was not really a sane option.
The implication I was making was to suggest that microsoft should be using software security schemes instead of relying on hardware based nonsense.
Solaris17Does this actually affect the bigger distros that have keys MS has blessed like Ubuntu?
And this is an example of the problem: Booting an OS on a UEFI system that has Windows installed requires the blessing of microsoft UNLESS users shutoff secure-boot, which they are pushing hardcore. It's an entirely incompetent way of doing things.
Posted on Reply
#31
rv8000
Darmok N JaladAs more stuff goes web-based, that support is unnecessary, and honestly what MS seems to be pushing for, even in it's own suite of apps. Office on a web browser is looking an awful lot like Office the standalone suite. At my workplace, we appear to migrating away from a lot of software that is dependent on a particular platform. You'll always have some outliers, sure, but I can do a lot of my job through a Chromium browser in Linux, and a lot of other things with Office apps on an iPad. We've come a long way for sure. I think this is why Windows is in the state it's in (telemetry, ads, partners), because they know its dominance has diminished substantially in the last decade.
When rendering, CAD, video, audio, modeling etc… work can be done in a web browser you might have a point… in 30+ years.

Large businesses or even small ones using software such as the above are all highly resistant/apprehensive to change software by the snap of a finger. Basic office task software being used as a point to prove otherwise is a pretty naive assessment. Software being web based and OS agnostic also doesn’t give a business and immediate reason to migrate away from Windows. Then theres budgets to consider and so on…

Microsoft accounts for 72% of OS install base, and thats not going to change in a short time span even with the majority of their nonsense.
Posted on Reply
#32
Darmok N Jalad
rv8000When rendering, CAD, video, audio, modeling etc… work can be done in a web browser you might have a point… in 30+ years.

Large businesses or even small ones using software such as the above are all highly resistant/apprehensive to change software by the snap of a finger. Basic office task software being used as a point to prove otherwise is a pretty naive assessment. Software being web based and OS agnostic also doesn’t give a business and immediate reason to migrate away from Windows. Then theres budgets to consider and so on…

Microsoft accounts for 72% of OS install base, and thats not going to change in a short time span even with the majority of their nonsense.
Except when companies make a cost-saving move to extend BYOD to the employee work computer. It's been kicked around for a long time. And it's not really that naive. There are lots of workers in many companies that simply don't need any more than to run Office and a web browser. My company isn't small, and I'd bet that over half of the workforce doesn't need any more than that. We have work management systems that are browser-based for non-designers. Of course there will always be a place for software running directly, but there's also a place where it's unnecessary. My point is that Windows + installed software was the obvious default in the work environment not long ago, but it's migrating away from that for many workers. You might assume that I don't do anything of production value on my work PC, but it's actually my full time job to manage data and publish reports, and I'm realizing that much of what I do is not all that Windows dependent anymore. It's definitely still Microsoft dependent, and that's what MS still needs to keep hold of.
Posted on Reply
#33
Solaris17
Super Dainty Moderator
lexluthermiesterAnd this is an example of the problem: Booting an OS on a UEFI system that has Windows installed requires the blessing of microsoft UNLESS users shutoff secure-boot, which they are pushing hardcore. It's an entirely incompetent way of doing things.
No; I think im having a hard time wrapping my head around this. The factory platform keys and any system made by MS or certified by them (pluton etc) have key stores that need to be blessed by MS. Thats understandable. However; anyone can make or enter custom keys and I am trying to be more tight lipped about it given I havent had time to read this; but it reads like people are using the default secureboot keys, and now bitching because they are using non-firstrate distros that dont have signed keys.

That was always asking for trouble, just like you have always been able to enter your own key in the BIOS. I understand this affects a lot of people, but if the issue REALLY is just using the default platform keys then.....you were always playing with fire; and it could have always been avoided.
Posted on Reply
#34
Neo_Morpheus
DavenIf only the whole world used Softplan as their one and only one software application, then I would be more receptive to what you are saying. Since it is not, many personal and professional uses of computers are moving to different devices and OSes since the days of 95% Windows OS share for internet connected devices. The transition cannot happen fast enough and I don't even think MS would care as they have pivoted away from the Windows OS business a few years ago.
I am a Mac fan since the first one, but i am not that hardcore fanboi to ignore the realities of the computing world.

Macs are still missing a lot of software that only exists in Windows. Plain and simple.

Also, Apple its not making it easy for everyone to adopt them. Example, i need a new Mac and i like the Studio, but not only is that thing grossly overpriced, apple in the typical consumer hostile way, made that system almost impossible to open up just so you can dust it off. Imagine having to take the time to unplug, carry it to an apple store just to have it duested off. Worse, you will have to pay for that if out of applecare coverage.
HughMungusI have a feeling when SteamOS officially launches their desktop OS that Windows will take a bit of a hit.
Well, you still need the likes of Adobe and even MS to release their programs on Linux and clearly, they dont have such plans.
GoldenXNever share an EFI partition with Windows. This has been the case since Windows 8 got released.
Well, I did a test drive on an Alpha workstation by installing NT, so i will say, way before that.
ZareekYes please! Although, that might only add to my biggest gripe with Linux, segmentation. If everyone just came together and made one unified Linux desktop distro, it could run circles around Windows. It already does as a server OS.
Amen. As a huge fan of Linux, sadly I agree, their segmentation is their worst enemy.
Darmok N JaladAs more stuff goes web-based, that support is unnecessary
In the future? Yes, but currently , all of the programs that i have tested, the web version is always trailing the full client.
Darmok N Jaladand honestly what MS seems to be pushing for, even in it's own suite of apps. Office on a web browser is looking an awful lot like Office the standalone suite
But its lacking a lot of features, like PST in Outlook.
Posted on Reply
#35
b1k3rdude
So windows updated parts of the UEFI bios without consent.....
Posted on Reply
#36
Assimilator
Linux users, the first group to whine and complain that "WINDOZE ISNT SECURE", are getting screwed over because... they didn't secure their systems properly, and Windows is making their system more secure. The irony is so thick as to almost be physical.
Posted on Reply
#37
Naito
Never understood all the hate for Windows. Used it for decades and have found it has only gotten better. Less crashes, less compatibility issues and rarely have to wrestle with it. For me, it just works.
Posted on Reply
#38
NineMeow
I uninstalled Windows 11 and turned to Linux Mint 3 months ago. It's quite beginner-friendly. As a moderate gamer, I think it satisfied me well.
Posted on Reply
#39
colossusrageblack
DavenThere is not a single ounce of truth in anything you just said.
Outside of niche companies, Windows rules the corporate, and more importantly, government landscape, and that's not going to change any time soon.
Posted on Reply
#40
R-T-B
Solaris17Does this actually affect the bigger distros that have keys MS has blessed like Ubuntu?
Not if you aren't running an ancient version.
AssimilatorLinux users, the first group to whine and complain that "WINDOZE ISNT SECURE", are getting screwed over because... they didn't secure their systems properly, and Windows is making their system more secure. The irony is so thick as to almost be physical.
To be honest linux devs who know what they are talking about should be equally chaatising these " critics."
b1k3rdudeSo windows updated parts of the UEFI bios without consent.....
Not without consent. They own they keys that you are running. That's the premise of secure boot. Linux can do the same. In the past, it even has.
Posted on Reply
#41
AnotherReader
_roman_It would be enough to just make big non clickaway pop up messages.

Windows 11 Pro annoys me very often with messages like "USe a microsoft online account" and other nonsense. That code exists. Just reuse it with a changed text.

Microsoft coders are most likely stupid. Destroying data. Someone who destroys data is stupid. Fact. Someone who writes code which destroys data is stupid. There used to be install dialogs with text. And warning text, do not click here, else ... may render your box not bootable and such.

I dislike "Linux" .... etc. in the article. That is wrong. It should be named. Ubuntu has an issue with outdated bootloader with activated Secure boot option. Assuming that this is the fact here. All those text and ubuntu page is not really clear, what the issue is. This also shows that ubuntu responsible text writers do not know where and what the issue is.

My Gentoo Linux is not affected. I also use a linux kernel in the efi-stub kernel variant. With another userspace and another toolchain. Assuming the date of the article is correct, my box was not "ruined" by the last windows 11 pro update i did a few days ago. Than I activated the 5 weeks no update option.

People forget. It is not a linux issue. It is a bootloader issue. And that is an userspace issue. And that is not linux related. Because it is not the linux kernel itself.

In comparison, when we talk about windows, we usually mean the hole package, windows kernel, hole operating system with the "userspace" and provided software and bootloader

Feel free to go to kernel.org and download. Read the gentoo handbook or the arch linux install guide. Read and understand the boot process please. Read lilo, grub 1 or grub 2 docs to understand what a bootloader does.
I have no issues dual booting with an updated Windows 11 install and Ubuntu 22.04.4.
Posted on Reply
#42
lexluthermiester
Solaris17No; I think im having a hard time wrapping my head around this. The factory platform keys and any system made by MS or certified by them (pluton etc) have key stores that need to be blessed by MS. Thats understandable. However; anyone can make or enter custom keys and I am trying to be more tight lipped about it given I havent had time to read this; but it reads like people are using the default secureboot keys, and now bitching because they are using non-firstrate distros that dont have signed keys.

That was always asking for trouble, just like you have always been able to enter your own key in the BIOS. I understand this affects a lot of people, but if the issue REALLY is just using the default platform keys then.....you were always playing with fire; and it could have always been avoided.
You're missing the point. The PC should ALWAYS be a free and open platform upon which everyone can build whatever they want. No one entity should have dominant control, ESPECIALLY microsoft.
R-T-BNot if you aren't running an ancient version.
And some people need to. The option to run what-ever-the-hell one wants to, WITHOUT borking the exist OS running side-by-side is a right microsoft needs to stop screwing with. Short-sighted, narrow-minded morons..(not you folks, microsoft)
Posted on Reply
#43
R-T-B
lexluthermiesterAnd some people need to.
Then turn off secure boot? Or enroll your own key?
Posted on Reply
#44
lexluthermiester
R-T-BThen turn off secure boot? Or enroll your own key?
Oh? Wouldn't that be nice? Not that simple though as Windows requires SecureBoot unless one uses a bypass..

The smarter solution is for microsoft to use their heads for something other than a seat cushion and create a solution for Windows security that does NOT rely on hardware, IE, is entirely self contained and completely user configurable.
Posted on Reply
#45
R-T-B
Then just enroll your own key?

I'm sorry but I can't see not revoking literally revoked keys as a legit strategy.
Posted on Reply
#46
lexluthermiester
R-T-BThen just enroll your own key?

I'm sorry but I can't see not revoking literally revoked keys as a legit strategy.
You're missing the point. I'm suggesting the discontinuation of the keys entirely. They're not needed. There are better and smarter ways of making an OS secure.
Posted on Reply
#47
R-T-B
lexluthermiesterYou're missing the point. I'm suggesting the discontinuation of the keys entirely. They're not needed. There are better and smarter ways of making an OS secure.
Well... secure boot itself as a REQUIREMENT has always been a bit iffy with me, so yeah.
Posted on Reply
#48
dicobalt
I dual boot Fedora off an external m.2 on my laptop, haven't had any problems.
Posted on Reply
#49
lexluthermiester
R-T-Bsecure boot itself as a REQUIREMENT has always been a bit iffy with me
Exactly
Posted on Reply
#50
johnspack
Here For Good!
I always segregate the windows boot loader to a single drive, and only select it during bios boot. I can't afford the infection on my ext4 drives.
It's easy to keep it all separate.
Posted on Reply
Add your own comment
Nov 21st, 2024 09:43 EST change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts