According to user reports following this month’s Patch Tuesday, the August 2024 Windows security updates are breaking dual boot on some Linux systems with Secure Boot enabled.
This issue is caused by Microsoft’s decision to apply a Secure Boot Advanced Targeting (SBAT) update to block Linux boot loaders unpatched against the CVE-2022-2601 GRUB2 Secure Boot bypass vulnerability, which could “have an impact on Windows security.”
“The vulnerability assigned to this CVE is in the Linux GRUB2 boot loader, a boot loader designed to support Secure Boot on systems that are running Linux,” Microsoft says in an advisory published last week to address this issue.
“It is being documented in the Security Update Guide to announce that the latest builds of Windows are no longer vulnerable to this security feature bypass using the Linux GRUB2 boot loader.
“The SBAT value is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems. You might find that older Linux distribution ISOs will not boot. If this occurs, work with your Linux vendor to get an update.”
However, while Redmond says that the SBAT update that blocks vulnerable UEFI shim bootloaders should not impact dual-boot systems in any way, many Linux users say that their systems (running Ubuntu, Linux Mint, Zorin OS, Puppy Linux, and other distros) no longer boot after installing the August 2024 Windows updates on the Windows OS.
Those affected see “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation” errors, and, for some, the devices will also immediately shut down.
Currently, there is no definitive list of Linux distributions and versions affected by this known issue and Linux users who tried working around the issue say that deleting the SBAT policy or wiping the Windows installation and restoring Secure Boot to factory settings will not work.
The only apparent way to revive the device is to disable Secure Boot, install the latest version of their favorite Linux distro, and re-enable Secure Boot.
Microsoft has yet to acknowledge that installing this month’s Patch Tuesday update may render dual-boot systems unable to boot.