Dual-Boot Linux Users Need to Update Systems Due to GRUB/SBAT Policy Changes in Windows
Multiple users have recently reported that the August 13 Ventanas 11 update causes issues with dual-boot Linux/Windows configurations. Sin embargo, the issues are actually related to changes in UEFI Secure Boot Advanced Targeting (SBAT) policies. The issue stems from Microsoft enforcing SBAT and revoking old, exploitable certificates. Many Linux distributions use self-signed UEFI shims, which are no longer allowed due to known exploits. The new update revokes the SBAT certificates on affected, known exploitable versions of GRUB shipped with some Linux distributions. This can result in error messages like “Verifying shim SBAT data failed: Security Policy Violation” o “Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” To resolve this issue, Linux users need to update GRUB or disable the SBAT policy on the Linux side.
It’s important to note that this is not primarily a Microsoft problem, but rather a necessary security update that affects some Linux distributions using outdated or vulnerable bootloaders. For more information on SBAT revocations and the boot process, users can refer to the Ubuntu Discourse here. This problem particularly impacts software developers and gaming enthusiasts who rely on dual-boot setups. As always, it’s good practice for users to back up their data before performing any system updates. Considering alternatives like using virtual machines is also a good choice for users relying on older Linux distributions.