A recent security update from Microsoft has led to boot problems for users with dual-boot systems featuring both Windows and Linux, the company has confirmed. The update, intended to fix a vulnerability in GRUB, an open-source boot loader, has unexpectedly affected systems set up to run both operating systems. The vulnerability, known as CVE-2022-2601, allowed attackers to bypass the Secure Boot mechanism designed to ensure only trusted software runs during startup.
Misapplied Secure Boot Policy
The update, which was released as part of August 2024 Patch Tuesday, implemented a Secure Boot Advanced Targeting (SBAT) policy designed to revoke certain boot path components. It was meant to be restricted to Windows-only devices. Instead, it mistakenly affected dual-boot systems and Windows devices set to boot Linux from ISO images or USB drives, causing boot failures.
Users have encountered errors such as “Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation” while attempting to boot into Linux. The problem impacts various Linux distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux.
Microsoft's Response and Interim Measures
Microsoft acknowledged the issue and committed to resolving it. The root cause was attributed to a failure to detect dual-boot configurations, leading to the incorrect application of the SBAT policy. As a temporary measure, Microsoft advises users not to restart their Windows systems to apply the update and instead use a registry key to block the update with the command:
``` reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD ```
Temporary Fixes by Users
Some users have found workarounds such as disabling Secure Boot or removing the SBAT policy. To delete the SBAT policy, users can disable Secure Boot, log into Linux, and run the command `sudo mokutil --set-sbat-policy delete
`. Afterward, Secure Boot needs to be re-enabled in the BIOS settings.
All current client and server versions of Windows 10 and 11, including Windows Server editions from 2012 onward, are affected. The scenario underscores the complexities of managing Secure Boot in mixed-OS environments.
Microsoft's situation is part of an ongoing struggle with Secure Boot, which has encountered several vulnerabilities in recent times. Some research has pointed out flaws such as the use of test keys labeled “DO NOT TRUST” to authenticate Secure Boot on many devices. Security analyst Will Dormann has highlighted that while Secure Boot boosts Windows security, its efficacy is compromised by such vulnerabilities.