¶ Problem
Since mid-August 2024, some computers fail to start Endless OS with the following error:
Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation
This problem is currently believed to affect computers which dual-boot Endless OS with Windows, or new installations of Endless OS on computers which have previously used Windows.
¶ Temporary workaround (if the problem has occurred)
The Endless OS team is working on a permanent solution. A temporary workaround to allow you to access both Endless OS and Windows is to disable Secure Boot in your computer's firmware settings. This process is different on different computers, but the steps are roughly as follows:
- Turn off the computer.
- Turn on the computer.
- Immediately press a certain key. The key is different for different computers; it is usually F2, F12, or Del, and there may be instructions shown on screen when the computer starts up.
- Choose to enter the firmware settings, BIOS configuration, or a similar term.
- Find the section of the settings which concern Secure Boot.
- Take a photograph of the settings page before changing any settings.
- Change the Secure Boot option to Disabled.
- Choose to save settings and exit.
Alternatively you can access Windows without disabling Secure Boot:
- Turn off the computer.
- Turn on the computer.
- Immediately press a certain key. The key is different for different computers; it is usually F2, F12, or Del, and there may be instructions shown on screen when the computer starts up.
- Select the Windows Boot Manager from the boot menu. It may look something like this:
¶ Disabling this update
If this Windows update has not yet been applied, Microsoft documents a mechanism to opt out. Under Windows, open a command prompt and run the following command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
¶ Technical details
Most modern PCs use a technology called UEFI Secure Boot to only allow operating systems to boot if their bootloader has been digitally signed by some trusted authority, which in practice means Microsoft. Endless OS, like most other Linux distributions, uses two bootloaders. First, the PC loads a copy of Shim, which is signed by Microsoft. Shim in turn boots GRUB, but only after checking that it is signed by the Linux distributor's key, which is embedded into Shim.
Several years ago, security bugs were found in both Shim and GRUB which allowed booting untrusted code. These bugs were fixed in newer versions of Shim and GRUB. Unfortunately, the version of Shim used by Endless OS has not yet been updated; and Endless OS does not currently have a way to install newer versions of Shim and GRUB when the OS is upgraded.
In August 2024, Microsoft issued an update for Windows, KB5041580, which configures the firmware not to allow older versions of Shim to boot with Secure Boot enabled. The update documentation states:
This SBAT update will not apply to systems that dual-boot Windows and Linux.
but unfortunately it appears that Endless OS dual-boot systems are not recognised as such, so the update is applied even if Endless OS is installed.
The Endless OS team is working on an updated version of Shim which will ultimately be included in a future Endless OS update, along with a bootloader update mechanism. In the meantime, it is necessary to disable Secure Boot to start Endless OS on systems which have applied KB5041580.