Latest Windows update is messing up booting Linux operating systems

[bigpup]

If you are dual booting Windows and some version of Linux (like Puppy Linux).

With secure boot enabled in the computers UEFI bios settings.
---------------------------------------------------------------------------------------------------------------------------------------------------------

The latest update to Windows 10 and 11 has done something to not allow booting the Linux OS.

You will get this error when trying to boot Linux:

Verifiying shim SBAT data failed: Security Policy Violation Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

This is one way to fix this:
https://askubuntu.com/questions/1523438 ... -violation

Note:
This is not an issue, if you have secure boot disabled, in the computers UEFI bios settings.

I tried to find some good info on what SBAT is, but about all I got out of reading, was it is something used by secure boot, that now needs updated in the boot loader.

[rockedge]

checkout a previous discussion -> viewtopic.php?p=128936#p128936

There must be a fix coming from Microsoft soon, they had claimed in the documentation that the update would not effect dual booting Linux OS's

[Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.

[wiak]

Reading some MS docs concerning UEFI, secure boot, and Public Key Infrastructure two things become alarmingly clear. MS has incredible power over this whole scheme and whilst provision appears to have been made for Linux providers, at least for X86 and X86_64 based machines, it is far from clear to me that smaller Linux distros will always be provided for. I would certainly have no idea what MS tool, CA or whatever to use to sign a FR initrd if that became necessary.

The second concern is simply the complexity involved in all this chain of trust stuff. All sorts of mechanisms can be employed - seems advanced degree capability in that complex domain is needed to understand most of it. Yes there are some published shim tricks, but that just scratches the surface and should these mechanisms get blocked for their less secure simplicity, what happens to this forum then.

Of course some may imagine some here will always provide working methods - I am not convinced any of us could. So we may be at the mercy of what the likes of MS do... Is that the true Future of forum distro thread nightmare - will newer machines even allow turning off secure boot I wonder, like alone this threat from Windows updates on underlying UEFI firmware behaviour. All seems very fragile.

Older computers may become increasingly important to us.

[rockedge]

I would certainly have no idea what MS tool, CA or whatever to use to sign a FR initrd if that became necessary.

I have seen an example of using Void Linux's xbps-src tool to sign programs. Looks kind of like what would be needed but......
https://learn.microsoft.com/en-us/windo ... windows-11

I have been concerned that our ability to build kernels without signing the modules will be hampered and because the UEFI machines will be unable to boot "unsecured" kernels. So far it isn't but I also see that Microsoft has now enough control to lock machines into only Windows and it should be expected that they will go the next step. Comes down to we must continue on assembling these operating systems for holding onto the freedom of choice.

Older computers may become increasingly important to us.

Totally agree. And we have a collection of operating systems to keep them viable that we continue to assemble and distribute world wide.

[geo_c]

I would certainly have no idea what MS tool, CA or whatever to use to sign a FR initrd if that became necessary.

I have seen an example of using Void Linux's xbps-src tool to sign programs. Looks kind of like what would be needed but......

I have been concerned that our ability to build kernels without signing the modules will be hampered and because the UEFI machines will be unable to boot "unsecured" kernels. So far it isn't but I also see that Microsoft has now enough control to lock machines into only Windows and it should be expected that they will go the next step. Comes down to we must continue on assembling these operating systems for holding onto the freedom of choice.

Older computers may become increasingly important to us.

Totally agree. And we have a collection of operating systems to keep them viable that we continue to assemble and distribute world wide.

From what I remember reading, but don't have links at hand, the trend in processors and devices is to be able to circumvent any attempt to run the device "off-the-grid" including things like using VPN's. The VPN's will work, but the processors and hardware chips will make them irrelevant in terms of surveillance.

Computer manufacturing is moving the way cars are moving, in that if one wants to operate independent from Big Tech, in other words one doesn't want a SMART car reporting their biometrics and driving habits to a central location, it will become increasingly difficult and one day perhaps illegal to own and operate one.

But at least with old computers, they will run offline. And that's something. I have a small collection of 6 desktops and 8 older laptops, but have often thought that I simply can't have enough old computers in this day and age. And for this reason I manage all my data off-line, so that I don't suddenly lose access to it by not using the "official" OS on the "official" device.

[wiak]

Yes, we should certainly also protect any data that is important to us from potentially vanishing or tamperable cloud-only status ( i.e. the opposite to what big Tech encourages).

Old machines/technology may become underground anti Big Brother tools of immense importance to communities determined to avoid oppression and protect individuality, freedom to be different, and simple privacy.

Clarity seems to think we should embrace new technologies with optimism, but in some cases I'm far from convinced that is wise.

Indeed I still think the nuclear bomb was an inevitably bad idea for long term likely future. And AI? And have smart phones improved our social behaviors during their relatively short existence in our daily lives? Or the internet more generally; do we have more free time as a result?

[mikewalsh]

This whole issue has merely reinforced my view on running Windows, AND the advice I shall continue to give to anyone who has a NEED to use the one OS alongside a desire to run the other; if there's any way on God's green earth you can do so, keep Windows and Linux totally separate. And that MEANS on separate machines. Less hassle all round.

Windows, unfortunately, NEEDS reasonably powerful hardware to function in anything approaching a usable manner. Linux requirements are nowhere near so steep. In either case, there's a ton of reasonably-priced refurbs out there that should cover all the bases....

(*shrug...*)

Mike.

[Jasper]

Microsoft has published a solution to this issue:
.
https://learn.microsoft.com/en-us/windo ... ue-details

[redquine]

Thanks, Jasper. Definitely worth keeping a note of that!

We are investigating the issue with our Linux partners and will provide an update when more information is available.

Hmm... looks like they might have published a workaround because they've realised the move could hurt their own pockets. Their relationship with Linux grows murkier by the day.

I briefly thought my HP Stream was safe as it's not eligible for upgrade to Windows 11. Unfortunately, I see the issue also affects Windows 10 versions 22H2 & 21H2 and Windows 10 Enterprise 2015 LTSB. I'm on 22H2 and was hoping to keep at least one machine still running Windows as I very occasionally have to resort to it. But it's already so slow, it's practically unusable. Worst comes to the worst, I'll wipe off Windows and see if I can find another 'Dozer in the bargain bucket.

All this goes to show how daft it is to pay top dollar for shiny new stuff. With Puppy, that old lappie bursts into life and starts singing and dancing like a sprightly youngster. (Not literally, that would be weird.) You never know: there may come a day when old-but-reliable tech becomes the norm. Especially for people who want to own what they buy, rather than being owned by the OS it runs.

[wiak]

My Linux Mint machine just notified me that there are a few updates to install. One is a shim... per image attached... maybe something to do with all this?

[rockedge]

Yes I believe it is the update to match Microsoft's shim thing