[German]The August 2024 updates for Windows have caused collateral damage for Linux users. By switching the boot mechanism to Secure Boot Advanced Targeting (SBAT), the Linux boot loader refused to start on dual-boot systems following the update installation. Microsoft has now commented on the reasons and tried to explain the whole thing.
Advertising
Looking back at the Linux boot problem
Microsoft rolled out the so-called Advanced Targeting (SBAT) for Secure Boot for all supported Windows versions with the August 13, 2024 security updates. The aim is to prevent compromised or outdated Linux EFI (shim boot loader) from being executed. The relevant support articles state this:
[Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.
However, the problem is that – contrary to Microsoft's statement – dual-boot systems were also affected. And current Linux distributions were also affected. I addressed the issue in the blog post Windows August 2024 update 'paralyzes' Linux boot.
Microsoft explains the issues
Microsoft has published the article August 2024 security update might impact Linux boot in dual-boot setup devices with explanations on the Release Health status page for Windows (e.g. for Windows 11) in the Know Issues section on August 22, 2024. Redmond confirms there that Linux boot problems may occur after installing the Windows security update of August 13, 2024 (e.g. KB5041585 for Windows 11). The problem is said to occur if the dual boot setup for Windows and Linux is activated on the system. Linux can then no longer be started and fails with the error message:
Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.
Der Windows-Hersteller erklärt im Supportbeitrag, dass das Windows-Sicherheitsupdate The Windows manufacturer explains in the support article that the Windows security update from August 2024 applies a Secure Boot Advanced Targeting (SBAT) setting to devices running Windows. The aim is to block old, vulnerable boot managers. It is also (incorrectly) repeated there that this SBAT update will not be applied to devices on which dual boot is detected. Because in this case there should be no problems with dual-boot installations.
In one sentence, however, it becomes clear that Microsoft screwed it up again, because Redmond had to admit "On some devices, dual-boot detection did not recognize some user-defined dual-boot methods and applied the SBAT value when it should not have been applied."
Advertising
Want some real satire?
A bit of real satire shines through in Microsoft's statement "You can check whether the SBAT is activated under Linux by carrying out the following steps". Because anyone who has run into boot problems now knows that they are affected and is faced with the problem of having to carry out the following steps on Linux that no longer boots:
- Open your terminal program
- Type mokutil –sb-stateand press the Enter key
The user should then search for the SBAT status in the output. If SBAT is enabled, this will be displayed.
Disable secure boot and delete SBAT
If you have installed the August 2024 update and run into the Linux boot problem, you must disable Secure Boot in the UEFI. How exactly this is done depends on the UEFI manufacturer (on some mainboards, Secure Boot can no longer be switched off). You should then be able to boot Linux and enter the following command in a terminal window:
sudo mokutil --set-sbat-policy delete
Die Ausführung des obigen Befehls erfordert die Eingabe des root-Passworts für das Linux-System. Ob das Ganze geklappt hat, lässt sich mit folgendem Terminal-Befehl prüfen:
mokutil --list-sbat-revocations
The execution of the above command requires the entry of the root password for the Linux system. The following terminal command can be used to check whether the whole thing worked:
Prevent further SBAT installation
To prevent another SBAT disaster caused by the update installations, Microsoft has revealed a special trick. Under Windows, the following command should make an entry in the registry:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
The DWORD value OptOut=1 under SBAT prevents Windows Update from manipulating the relevant SBAT settings on the relevant systems in future.
Affected were …
Microsoft has also confirmed which Windows updates or Windows versions were affected by this SBAT disaster. It affects both clients and servers:
- Windows 11 Version 21H2 – 23H2
- Windows 10, Version 21H2 – 22H2
- Windows 10 Enterprise 2015 LTSB
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
I noticed that Microsoft does not list Windows 10 Enterprise 2016 LTSB in its support article, while Windows Server 2016 is mentioned as affected. I assume that Microsoft has simply forgotten the Windows 10 versions in the list. The Microsoft people are currently investigating the problem together with the Linux partners and are planning to provide an update. It remains to be seen when this will be the case.
Advertising
