Cogito ergo sum

How to solve Ubuntu not booting on a dual-boot machine because of shim SBAT security policy violation2 min read

By Peshmerge Morad
In Linux
1 month ago
3 Min read
Add comment

Background

As a regular reader of this blog, you already know I use a dual-boot setup on my laptop where Ubuntu 22.04 is installed alongside Windows 11.
Yesterday,14th August, I had to work on my Windows machine and before turning it off, I saw that there were updates available. And I think I’m not the only one here who is notoriously weak to those yellow/orange dots on the Windows shutdown/restart/sleep menu options, and I can’t resist clicking on them and updating Windows.

Windows restart/shutdown/sleep options menu

So, what I did, I just hit “Update and shut down”, business as usual xD. However, this time, it was unfortunately not business as usual. The installed update (August 13, 2024—KB5041585 (OS Builds 22621.4037 and 22631.4037)) just corrupted something which I don’t exactly what, but it seems it’s related to Secure boot. The update corrupted the shim SBAT, which stands for Secure Hardware Information Management Secure Boot and Attestation Tool. It’s a security mechanism used in modern computing systems, particularly in Windows, to ensure the integrity of the boot process and verify that only trusted software is loaded during system startup.

What happened, I was not able to boot into Ubuntu any more, and after the machine booted up, I got the following message:

Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.

Solution

After spending hours on the internet searching for a solution, I found the solution to this problem.

  1. Disable Secure Boot in your UEFI settings. In my case (Dell XPS), I had to press F2 during booting and then navigate to Secure Boot –> disable secure boot. Restart, now you must be able to log in to your Ubuntu.
  2. Open the Ubuntu terminal (CTRL+SHIFT+T) and execute the following command: mokutil --list-sbat-revocations the output will be similar to the following:
    sbat,1,2024010900 shim,2 grub,3
  3. If yes, run the following command sudo mokutil -set-sbat-policy delete
  4. Reboot Ubuntu, and again run the command from 2, you are supposed to see sbat,1,2021030218
  5. If yes, reboot again, and via the UEFI settings screen enable secure boot. You will be able to use dual-boot as you have always been doing 🙂

But wait what the heck is mokutil ? It’s a tool to import or delete the machine’s owner keys (MOK) stored in the database of shim. You can read more about this tool using this link

About the author

Peshmerge Morad

a machine learning & software engineer based in Germany, whose interests span multiple fields.

View all posts

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Read more

3 weeks ago

How to upload your WordPress plugin to the WordPress Plugins directory using SVN on Ubuntu

By Peshmerge Morad
In Web, WordPress
3 weeks ago
3 Min read
Add comment
29August

Background Today my third WordPress plugin has been approved and added to the WordPress Plugins directory. A usual action after your plugin submission has been approved, is to push the code to the WordPress SVN repository. I must confess that I was never able to memorize all the commands and steps to push the code. I am very good at Git and using it because I have been using it for more than 12...

4 months ago

My dual-boot setup suddenly stopped working on my Dell XPS

By Peshmerge Morad
In Linux
4 months ago
2 Min read
Add comment
07May

I have been using Ubuntu (20 and then 22.0) and Windows 11 on my Dell XPS 15, 7590 for over three years without any major problems related to booting. I use Ubuntu on my laptop daily and occasionally log into Windows when I need to use Adobe Photoshop or  Acrobat. However, I have been using Windows daily for the past two weeks. Yesterday, I logged in to Ubuntu and did the usual sudo apt update...

August 31, 2023

How to restore files from a disk storage with bad sectors using GNU ddrescue on Ubuntu Linux

By Peshmerge Morad
In General, Linux
August 31, 2023
7 Min read
Add comment
31August

Background   Losing access to our precious data due to hardware failures is a nightmare for all of us. Bad sectors on a hard disk drive (HDD) or any other similar failures can block normal data copy/transfer operations and render some of your files inaccessible. Fortunately, there are advanced tools and techniques available that can help rescue this data. One such tool isGNU ddrescue, that...

Cogito ergo sum