SBAT Revocations: Boot Process

Since November 2022, several Linux distributions, including Ubuntu 22.04.2 and 20.04.6, have upgraded to shim 15.7, which provides a critical security update to address various vulnerabilities in the boot stack.

It is important to note that this update, by default, revokes the grub,1 SBAT level utilized by older installer media, including Ubuntu 22.04.1, and other distributions such as RHEL 9.0. As a result, systems running these older installer media will cease to boot once shim 15.7 is installed.

To address this issue, it is recommended that users switch to newer installer media, such as Ubuntu 22.04.2, Ubuntu 20.04.6, and equivalent updated media from other distributions. For situations where this is not possible, users may choose to disable secure boot and/or reset the SBAT policy to revert to an older shim or grub.

The SBAT policy is configured by the mokutil --set-sbat-policy POLICY command. The default policy “previous”, which currently revokes “grub,1” can be set using mokutil --set-sbat-policy previous. The “latest” policy, which revokes both shim,1 and grub,2 binaries and can cause additional systems to become unbootable, can be set using mokutil --set-sbat-policy latest (future updates will apply any newer “previous” policy). Note that a reboot is required for shim to run and act on the request.

To delete the policy, disable secure boot, run mokutil --set-sbat-policy delete, reboot, boot into the new shim to apply (shims on older media do not support the mokutil interface), and then turn secure boot back on again. Please note that booting the new shim after a completed reset will reapply the “previous” policy again.

Please note that for the time being, this mokutil feature is only available in Ubuntu 22.10 and newer.

Older releases, and some releases such as 20.04.5 include a shim that does not yet implement SBAT checks and have been revoked by dbx updates by Microsoft. Booting them will require resetting the secure boot keys in your BIOS.

7 Likes

Thanks for posting this !

that did work for me. however, windows dispeared from the booting screen

For the recent Windows-triggered revocation, see the following thread:

1 Like
  • This problem happened to me today. I entered the HO Startup menu by hitting the ESC key.
  • From here I the Boot menu.
  • I tried UEFI Ubuntu, but this didn’t work.
  • I tried UEFI Windows Boot Manager. I got the Windows startup screen & I’n in Windows.
  • What I’m missing is how to enter Ubuntu & disabling the SBAT problem.
  • Will I need to enter Windows this way until I fix the issue?
  • I appreciate any guidance!

Hello, how can I open the terminal if computer won’t stay turned on for more than 10sec after showing me the policy violation message ?

1 Like

Same issue as chalky.

My pc turns on, displays the message, and immediately turns off afterwards.

I have no control to choose which OSi want to boot on.

What are some keys I can press during the 5 seconds it is turned on ?

Any help would be much appreciated

EDIT : the answer is to repeatedly smash the F8 key as soon as the pc starts turning on

1 Like

Still not working for my pc, do you know what do i have to press for mine ?

edit : it is working now, i had to spam esc right when my screen turned on, then disable the bios secure boot, once my pc finally booted under ubuntu, i wrote in the terminal “sudo mokutil —set-sbat-policy delete”