SBAT self-check failed: Mitigating the impact of shim 15.7 revocation on the Ubuntu boot process for devices running Windows

Project Discussion Desktop
3

Thank you.

While we are waiting for the updated Ubuntu 22.04 ISO, I would like to share these steps (deduced from the mentioned workarounds) which may work without the need to disable Secure Boot if we want to install Ubuntu after the mentioned Windows update:

  • Download and extract (using e.g. 7-zip) http://launchpadlibrarian.net/723335313/shim-signed_1.51.4+15.8-0ubuntu1_amd64.deb (or a more recent version if any on shim-signed : amd64 : Jammy (22.04) : Ubuntu).
  • Inside (you may need to extract data.tar if it is not extracted automatically), go to data/usr/lib/shim, get shimx64.efi.signed.latest and copy it in the EFI/boot folder of a Ubuntu USB drive (prepared e.g. using Rufus and ubuntu-22.04.4-desktop-amd64.iso) as bootx64.efi (replace existing one). Similarly, replace mmx64.efi.
  • This modified USB drive should now be able to install Ubuntu (note there might be a 1-2 min long black screen at boot…).

For an existing Ubuntu installation or after the above fresh installation, the bootx64.efi and mmx64.efi files that normally appear in /boot/efi/EFI/BOOT need to be updated:

  • We can boot from the modified temporary USB drive I suggest above and choose “Try Ubuntu” instead of “Install Ubuntu” to modify the existing installation on the internal disk.
  • To determine what is the EFI System Partition (ESP) of the internal disk, try sudo gparted, select your internal disk and find what is the partition that has boot, esp flags, typically /dev/nvme0n1p1 or /dev/sda1 (its size is usually around 100-500 MB).
  • Then, assuming you downloaded and extracted shim-signed_1.51.4+15.8-0ubuntu1_amd64.deb (and extracted its data folder inside) in ~/Downloads and the ESP is /dev/nvme0n1p1:
sudo mkdir /mnt/esp
sudo mount /dev/nvme0n1p1 /mnt/esp 
sudo cp -f ~/Downloads/shim-signed_1.51.4+15.8-0ubuntu1_amd64/data/usr/lib/shim/shimx64.efi.signed.latest /mnt/esp/EFI/Boot/bootx64.efi
sudo cp -f ~/Downloads/shim-signed_1.51.4+15.8-0ubuntu1_amd64/data/usr/lib/shim/shimx64.efi.signed.latest /mnt/esp/EFI/ubuntu/shimx64.efi
sudo cp -f ~/Downloads/shim-signed_1.51.4+15.8-0ubuntu1_amd64/data/usr/lib/shim/mmx64.efi /mnt/esp/EFI/Boot/mmx64.efi
sudo cp -f ~/Downloads/shim-signed_1.51.4+15.8-0ubuntu1_amd64/data/usr/lib/shim/mmx64.efi /mnt/esp/EFI/ubuntu/mmx64.efi
  • You should be then able to reboot to your existing Ubuntu installation on the internal disk.
  • It might not be necessary after the steps I proposed, but after rebooting to the Ubuntu installation on the internal disk,

means we should go to Software & Updates app, check Developer Options\Pre-released updates (jammy-proposed), close and choose Reload, then in the terminal run sudo apt install shim-signed, then un-check Developer Options\Pre-released updates (jammy-proposed) in Software & Updates to reset the modified settings back to default…