Dual-Boot Linux Users Need to Update Systems Due to GRUB/SBAT Policy Changes in Windows

[AleksandarK]

Multiple users have recently reported that the August 13 Windows 11 update causes issues with dual-boot Linux/Windows configurations. However, the issues are actually related to changes in UEFI Secure Boot Advanced Targeting (SBAT) policies. The issue stems from Microsoft enforcing SBAT and revoking old, exploitable certificates. Many Linux distributions use self-signed UEFI shims, which are no longer allowed due to known exploits. The new update revokes the SBAT certificates on affected, known exploitable versions of GRUB shipped with some Linux distributions. This can result in error messages like "Verifying shim SBAT data failed: Security Policy Violation" or "Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation." To resolve this issue, Linux users need to update GRUB or disable the SBAT policy on the Linux side.

It's important to note that this is not primarily a Microsoft problem, but rather a necessary security update that affects some Linux distributions using outdated or vulnerable bootloaders. For more information on SBAT revocations and the boot process, users can refer to the Ubuntu Discourse here. This problem particularly impacts software developers and gaming enthusiasts who rely on dual-boot setups. As always, it's good practice for users to back up their data before performing any system updates. Considering alternatives like using virtual machines is also a good choice for users relying on older Linux distributions.



View at TechPowerUp Main Site | Source

 

[Chaitanya]

MS is a shell of its former self.

 

[Daven]

Windows is dying. I recently switched to it from MacOS for my job. There are so, so, so many bugs, incompatibilities and poor UX experience. Again Windows is dying. MS is moving more towards its services in the enterprise and cloud space that Windows gets very little attention. I hope that a replacement OS from another provider can come as soon as possible and end this miserable product.

 

[DeathtoGnomes]

So the fight with Linux has begun, will MS fix this or will they just say "oh well deal with it"

 

[CGLBESE]

Damn! I recently moved to dual boot and everything is now done through my Linux installation (even gaming, thanks to Lutris and to Steam interest in Linux gaming).

I guess I will wait for a fix before getting the last few documents I haven't yet transferred... :-/

 

[rv8000]

Windows is dying. I recently switched to it from MacOS for my job. There are so, so, so many bugs, incompatibilities and poor UX experience. Again Windows is dying. MS is moving more towards its services in the enterprise and cloud space that Windows gets very little attention. I hope that a replacement OS from another provider can come as soon as possible and end this miserable product.

Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.

 

[Double-Click]

Using Windows is like being stuck in an abusive relationship.
We pay MS and they give us crap, cull our data, and shove ads into their (paid-for) product.

 

[Daven]

Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.

There is not a single ounce of truth in anything you just said.

 

[rv8000]

There is not a single ounce of truth in anything you just said.

There absolutely is, I use Softplan on occasion for drawing coordination with an Architect, and what do ya know not supported on macOS. You can find hundreds if not thousands of more examples, but if you wanna pretend macOS or Mac has wider software support, you can keep on dreaming.

 

[xorbe]

So the fight with Linux has begun

As an openSUSE user, Tumbleweed has managed to have its own share of secure boot issues along the way. Nobody seems to test the secure boot feature very well or in various configurations. I doubt it was intentional on MS' part.

 

[Daven]

There absolutely is, I use Softplan on occasion for drawing coordination with an Architect, and what do ya know not supported on macOS. You can find hundreds if not thousands of more examples, but if you wanna pretend macOS or Mac has wider software support, you can keep on dreaming.

If only the whole world used Softplan as their one and only one software application, then I would be more receptive to what you are saying. Since it is not, many personal and professional uses of computers are moving to different devices and OSes since the days of 95% Windows OS share for internet connected devices. The transition cannot happen fast enough and I don't even think MS would care as they have pivoted away from the Windows OS business a few years ago.

 

[Wirko]

Can users repair the boot loader themselves or do they have to wait for MS's fix?

 

[OneMoar]

fix title please: issue is a Distro/GRUB problem not a microsoft one

the issue is that microsoft started enforcing SBAT and have revoked some old exploitable certificates
many distros use a self signed uefi shim which is no longer allowed due to exploits the new update revokes the SBAT cert on affected known exploitable versions of grub shipped with some distros.

SBAT Revocations: Boot Process

Since November 2022, several Linux distributions, including Ubuntu 22.04.2 and 20.04.6, have upgraded to shim 15.7, which provides a critical security update to address various vulnerabilities in the boot stack. It is important to note that this update, by default, revokes the grub,1 SBAT level...

discourse.ubuntu.com

updating grub or disabling the SBAT policy on the linux side will resolve the issue

tl:dr linux users need to update there systems before crying about microsoft

 

[KellyNyanbinary]

Microsoft disables old, vulnerable bootloaders.

Linux users complain about their old, vulnerable bootloaders being disabled.

 

[_roman_]

fix title please: issue is a Distro/GRUB problem not a microsoft one

It's more an user issue I think.
When you are unable to know how the boot process is of your box, you are doing something wrong. Or you are just lazy to learn and read.

I came to the conclusion that I do not need a bootloader anymore with an efistub kernel with an UEFI based mainboard. https://wiki.gentoo.org/wiki/EFI_stub

ASUS X670-P Prime and MSI B550 Gaming EDGE WIFI have an error in the UEFI. When I did not set my efi stub kernel as first place, as default, it will be forgotten very often.

There are different ways to write uefi boot entires. I use: https://wiki.gentoo.org/wiki/Efibootmgr

efibootmgr is a tool for managing UEFI boot entries.

It is not a bootloader. It is a tool that interacts with the EFI firmware of the system, which itself is acting as a boot manager. Using efibootmgr boot entries can be created, reshuffled and removed.

--

Make backups. test restore the backups to see if your backup strategy works.

--

Can users repair the boot loader themselves or do they have to wait for MS's fix?

Assuming you know your bootprocess. this was always possible since linux kernel version 2.0.0. I do not know before that point.

--

I think the hole issues is about Secure boot Option and outdated certificate. The author may look into in more detail and update the news post please.

 

[umeng2002]

When will we get dual BIOS motherboards?

 

[AleksandarK]

fix title please: issue is a Distro/GRUB problem not a microsoft one

the issue is that microsoft started enforcing SBAT and have revoked some old exploitable certificates
many distros use a self signed uefi shim which is no longer allowed due to exploits the new update revokes the SBAT cert on affected known exploitable versions of grub shipped with some distros.

SBAT Revocations: Boot Process

Since November 2022, several Linux distributions, including Ubuntu 22.04.2 and 20.04.6, have upgraded to shim 15.7, which provides a critical security update to address various vulnerabilities in the boot stack. It is important to note that this update, by default, revokes the grub,1 SBAT level...

discourse.ubuntu.com

updating grub or disabling the SBAT policy on the linux side will resolve the issue

tl:dr linux users need to update there systems before crying about microsoft

Thanks! I re-did the article with new info, so now updated!!!

 

[marios15]

Windows will be around for as long as Mac and Linux can’t provide more universal support for software. Using a mac is like paying a company a lot of money to shoot you in the foot unless you work with a handful of supported programs.

Don't worry. Microsoft is making sure that "universal support for software" is going away with all their changes.

 

[CGLBESE]

Thanks! I re-did the article with new info, so now updated!!!

Then it's a total different story...

Thanks for the update (and thanks to all that pointed the root cause out)

 

[lexluthermiester]

However, there issues are actually related to changes in UEFI Secure Boot Advanced Targeting (SBAT) policies.

My response to this is: Someone please take Windows away from microsoft so we can have sensible solutions to problems and proper progression forward that serves the needs of the user FIRST..

 

[R-T-B]

My response to this is: Someone please take Windows away from microsoft so we can have sensible solutions to problems and proper progression forward that serves the needs of the user FIRST..

This was literally revocation of known exploited keys. I'm unsure how else they COULD have handled it. Ignoring that these keys were compromised was not really a sane option.

 

[HughMungus]

I have a feeling when SteamOS officially launches their desktop OS that Windows will take a bit of a hit.

 

[_roman_]

This was literally revocation of known exploited keys. I'm unsure how else they COULD have handled it. Ignoring that these keys were compromised was not really a sane option.

It would be enough to just make big non clickaway pop up messages.

Windows 11 Pro annoys me very often with messages like "USe a microsoft online account" and other nonsense. That code exists. Just reuse it with a changed text.

Microsoft coders are most likely stupid. Destroying data. Someone who destroys data is stupid. Fact. Someone who writes code which destroys data is stupid. There used to be install dialogs with text. And warning text, do not click here, else ... may render your box not bootable and such.

I dislike "Linux" .... etc. in the article. That is wrong. It should be named. Ubuntu has an issue with outdated bootloader with activated Secure boot option. Assuming that this is the fact here. All those text and ubuntu page is not really clear, what the issue is. This also shows that ubuntu responsible text writers do not know where and what the issue is.

My Gentoo Linux is not affected. I also use a linux kernel in the efi-stub kernel variant. With another userspace and another toolchain. Assuming the date of the article is correct, my box was not "ruined" by the last windows 11 pro update i did a few days ago. Than I activated the 5 weeks no update option.

People forget. It is not a linux issue. It is a bootloader issue. And that is an userspace issue. And that is not linux related. Because it is not the linux kernel itself.

In comparison, when we talk about windows, we usually mean the hole package, windows kernel, hole operating system with the "userspace" and provided software and bootloader

Feel free to go to kernel.org and download. Read the gentoo handbook or the arch linux install guide. Read and understand the boot process please. Read lilo, grub 1 or grub 2 docs to understand what a bootloader does.

 

[Tahagomizer]

"A necessary solution to ensure security". I'm sure I read those words in a book concerning mid-XX century European history. Or was it a book about USA government drugging and poisoning own citizens?
In any way, it's a good practice to first warn users about an update potentially making many systems unusable, at least for a while. But, Microsoft being a company run by monkeys mindlessly chanting "AI", is obviously not privy to revolutionary ideas like "good practices". A week's notice would not compromise security much further but would save some headache.

 

[GoldenX]

Never share an EFI partition with Windows. This has been the case since Windows 8 got released.