SBAT verification error booting Linux after Windows update

Which Linux distro are you using?
Ubuntu

Which release version?
24.04

Which kernel are you using?
6.8

Which BIOS version are you using?
3.05

Which Framework Laptop 13 model are you using?
AMD Ryzen™ 7040 Series

I just received my AMD Framework 13 DIY edition. I was planning on dual-booting Windows and Ubuntu. After installing Windows and updating the OS, it seems this Aug 13 update applied an update to SBAT:

• [Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.

Since I wasn’t yet dual-booting Windows and Linux, the update did apply. And now I cannot boot from the Ubuntu 24.04 boot disk with secure boot enabled. I get the error:

Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

I still get this error even after wiping my Windows install from the SSD, restoring the secure boot to factory settings, and loading setup defaults. I even tried factory resetting by unplugging the battery, plugging in the AC power, and plugging the battery back in. And I still continue to get the SBAT error!

How do I clear this SBAT update out of my system? I’d like to just return everything to how it was when I received the laptop from the factory. After installing Windows, I won’t let updates run until I’ve installed Ubuntu first so that it’s configured for dual-boot and prevents the SBAT update.

I’ve tried deleting the SBAT policy as described in several places:

1. Disabled secure boot
2. Boot into the Ubuntu live environment
3. Ran sudo mokutil --set-sbat-policy delete
4. Rebooted into Ubuntu live environment
5. Rebooted and reenabled secure boot

But I still continue to get the error. Oddly, it’s only after I reenable secure boot that the first time I attempt to boot Ubuntu it says:

Cannot reset SBAT policy: Secure Boot is enabled.
Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

For some reason it’s only trying to delete the SBAT after secure boot is reenabled and it fails because it’s enabled??

If I run mokutil --list-sbat-revocations, I don’t see any of the results as described here. I just get:

SbatLevelRT is empty

So if I disable secure boot, install Ubuntu, and then reenable secure boot, it does boot the installed OS.

And if I run mokutil --list-sbat-revocations it lists:

sbat,1,2023012900
shim,2
grub,3
grub.debian,4

And now I can boot the Ubuntu install media with secure boot enabled! So the installed Ubuntu seems to have set/overridden the SBAT NVRAM entry.

Nice tip, saved me some hair pulling today as this update seems to have broken my perfectly happy Ubuntu 22.04 / Windows 11 dual boot and rendered my Ventoy boot disks unusable.

What an absolute dick move by Microsoft.

had the same problem, tried a nvme swap to run a linux and got this error with ubuntu 22.04 LTS

2024-09-10_13_45_IMG_20240910_134542719×1080 279 KB

2024-09-10_13_51_IMG_20240910_1351301114×488 49.7 KB

This is because Microsoft screwed up; Microsoft investigates a patch breaking dual-boot PCs • The Register

You may need updated install media, for instance, or keep secure boot off till Ubuntu (etc) can ship a fix.