Since November 2022, several Linux distributions, including Ubuntu 22.04.2 and 20.04.6, have upgraded to shim 15.7, which provides a critical security update to address various vulnerabilities in the boot stack.
It is important to note that this update, by default, revokes the grub,1 SBAT level utilized by older installer media, including Ubuntu 22.04.1, and other distributions such as RHEL 9.0. As a result, systems running these older installer media will cease to boot once shim 15.7 is installed.
To address this issue, it is recommended that users switch to newer installer media, such as Ubuntu 22.04.2, Ubuntu 20.04.6, and equivalent updated media from other distributions. For situations where this is not possible, users may choose to disable secure boot and/or reset the SBAT policy to revert to an older shim or grub.
The SBAT policy is configured by the mokutil --set-sbat-policy POLICY
command. The default policy “previous”, which currently revokes “grub,1” can be set using mokutil --set-sbat-policy previous
. The “latest” policy, which revokes both shim,1 and grub,2 binaries and can cause additional systems to become unbootable, can be set using mokutil --set-sbat-policy latest
(future updates will apply any newer “previous” policy). Note that a reboot is required for shim to run and act on the request.
To delete the policy, disable secure boot, run mokutil --set-sbat-policy delete
, reboot, boot into the new shim to apply (shims on older media do not support the mokutil interface), and then turn secure boot back on again. Please note that booting the new shim after a completed reset will reapply the “previous” policy again.
Please note that for the time being, this mokutil feature is only available in Ubuntu 22.10 and newer.
Older releases, and some releases such as 20.04.5 include a shim that does not yet implement SBAT checks and have been revoked by dbx updates by Microsoft. Booting them will require resetting the secure boot keys in your BIOS.