Latest Windows 11 security update breaks dual boot with Linux

A bug in the latest security updates for Windows 11 made dual-boot computers unbootable. The patch that was intended to mitigate the CVE-2022-2601 in a vulnerable GRUB shims on devices that run Windows only but have such a bootloader component installed. Unexpectedly, the patch has appeared for a wider range of devices, including those with Linux in dual-boot, making impossible to start the latter.

Here are the details on the closed vulnerability.

• [Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.

So, it could let attackers circumvent Secure Boot. This vulnerability was rated 8.6 out of 10 for severity. The defective fix is part of updates released on August 13.

This problem has affected users across various Linux distributions, including Ubuntu, Debian, Linux Mint, Zorin OS, and Puppy Linux. Users on forums have encountered errors like "security policy violation" and "something went wrong," among others.

The workaround is to either disable Secure Boot or remove the Microsoft SBAT policy.

A workaround

Ubuntu users can use this solution:

1. Disable Secure Boot in BIOS.
2.  Boot into Ubuntu and open a terminal.
3. Remove the SBAT policy using the command: sudo mokutil --set-sbat-policy delete.
4. Restart your computer and log into Ubuntu again to refresh the SBAT policy.
5. Reboot and re-enable Secure Boot in BIOS.

Microsoft is yet to comment on the situation.

Source: thecommunity

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: