[Solved] Can't boot Debian 12. Security Policy Violation

[RenataTa]

Hello,

Has there been any news about shim or grub update that will fix the issue?

According to:

• Debian Bug report logs - #1078956
  Debian 12 unable to boot after Secure Boot SBAT blacklist update :

  Fix:
  The package shim-signed (shim-signed 1.44~1+deb12u1) from bookworm-
  proposed-updates solves the issue.

From Accepted shim-signed 1.44~1+deb12u1 (source) into proposed-updates:

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted shim-signed 1.44~1+deb12u1 (source) into proposed-updates
Date: Fri, 16 Aug 2024 19:17:21 +0000
Signed by: Steve McIntyre <93sam@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 03 Jul 2024 21:59:25 +0100
Source: shim-signed
Architecture: source
Version: 1.44~1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Changes:
shim-signed (1.44~1+deb12u1) bookworm; urgency=medium
.
* Build against new signed binaries corresponding to 15.8-1~deb12u1
* Update build-dep on shim-unsigned to use 15.8-1~deb12u1
* NOTE: this will block use of older grub binaries with sbat < 4
+ Update Depends on grub2-common to match.
* Multiple packaging updates backported:
+ Add Romanian translation for debconf templates (thanks to
Remus-Gabriel Chelu)
+ Stop recommending secureboot-db, we don't have that package
+ Tweak dependencies using substvars (thanks for help from Fabian
Grünbichler)
[…]

Hope this helps.

So we should update the shim? or install something new? I didnt get what i suppose to write on terminal in order to solve the problem. If anyone understood, please let me know, like if you were explaining to an old ladie. (terminal lines i can understand)

[IT-Nerd]

Reading the BUG report thread, it seems that the update is not yet made available to Debian 12 systems. What we can do for now is to avoid applying the Windows update on affected systems until the APT update with the new Shim is available via an apt upgrade. Am I missing something?

[Aki]

Hello,

It' is a rather complex matter.

As far as I know, Microsoft recently released a security update that modified the so-called "SBAT level variable" [1] (SBAT stands for "Secure Boot Advance Targeting").

This variable is stored in the computer's NVRAM (Non-volatile random-access memory) and used by the UEFI firmware [1] :

Code: Select all

Name: SbatLevel
Attributes: (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
Namespace Guid: 605dab50-e046-4300-abb6-3dd810dd8b23

We can look for it directly in EFI variables when secure boot is enabled:

Code: Select all

$ efivar --list | grep -i sbat
605dab50-e046-4300-abb6-3dd810dd8b23-SbatLevelRT

$ efivar --name 605dab50-e046-4300-abb6-3dd810dd8b23-SbatLevelRT
GUID: 605dab50-e046-4300-abb6-3dd810dd8b23
Name: "SbatLevelRT"
Attributes:
	Boot Service Access
	Runtime Service Access
Value:
00000000  73 62 61 74 2c 31 2c 32  30 32 34 30 31 30 39 30  |sbat,1,202401090|
00000010  30 0a 73 68 69 6d 2c 34  0a 67 72 75 62 2c 33 0a  |0.shim,4.grub,3.|
00000020  67 72 75 62 2e 64 65 62  69 61 6e 2c 34 0a        |grub.debian,4.  |

As reported in previous posts, after the Microsoft security upgrade, it is currently:

Code: Select all

$ mokutil --list-sbat-revocations 
sbat,1,2024010900
shim,4
grub,3
grub.debian,4

This variable lists for each line (from line 2) the EFI programs (called "component_name") and their minimum trusted versions (called "component_generation") which the EFI firmware trusts to start (see SBAT specification in [2]).

So, for example, trying to boot the computer using secure boot:

• with a shim "component generation" < 4, the UEFI firmware will stop you with the error:

  Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

• with a shim >= 4 will succeed.

So the UEFI firmware compares the 'component_name' and 'component_generation' between the 'SBAT level variable' (which contains the SBAT revocation list) and their counterparts stored in each EFI binary.

Reading the BUG report thread, it seems that the update is not yet made available to Debian 12 systems.

The latest shim version released by Debian project on 16 August in bookworm-proposed-updates repository is:

Code: Select all

$ apt -a list shim-signed
Listing... Done
shim-signed/proposed-updates,now 1.44~1+deb12u1+15.8-1~deb12u1 amd64 [installed]
shim-signed/stable 1.39+15.7-1 amd64

As you can see, there's a jump (1.39 -> 1.44) between the version released with Debian Bookworm and with Debian Bookworm proposed-updates repositories.

If you examine the contents of the newer shimx64 boot loader, you will find:

Code: Select all

$ objdump -h /boot/efi/EFI/debian/shimx64.efi 

/boot/efi/EFI/debian/shimx64.efi:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .eh_frame     0001db64  0000000000005000  0000000000005000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text         0005ef3e  0000000000023000  0000000000023000  0001e000  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc        0000000a  0000000000082000  0000000000082000  0007d000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data.ident   0000006b  0000000000084000  0000000000084000  0007d200  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  4 .sbatlevel    0000006b  0000000000085000  0000000000085000  0007d400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .data         0002dd94  0000000000086000  0000000000086000  0007d600  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  6 .vendor_cert  0000258a  00000000000b4000  00000000000b4000  000ab400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynamic      00000100  00000000000b7000  00000000000b7000  000ada00  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  8 .rela         0001b468  00000000000b8000  00000000000b8000  000adc00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .sbat         000000c6  00000000000d4000  00000000000d4000  000c9200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

As you can see, the file has a ninth section called ".sbat" : this is the section added to the binary executable containing the SBAT database for the specific EFI executable (shimx64.efi). These are the contents of the shimx64.efi .sbat section:

Code: Select all

$ objdump -j .sbat -s /boot/efi/EFI/debian/shimx64.efi | head -20

/boot/efi/EFI/debian/shimx64.efi:     file format pei-x86-64

Contents of section .sbat:
 d4000 73626174 2c312c53 42415420 56657273  sbat,1,SBAT Vers
 d4010 696f6e2c 73626174 2c312c68 74747073  ion,sbat,1,https
 d4020 3a2f2f67 69746875 622e636f 6d2f7268  ://github.com/rh
 d4030 626f6f74 2f736869 6d2f626c 6f622f6d  boot/shim/blob/m
 d4040 61696e2f 53424154 2e6d640a 7368696d  ain/SBAT.md.shim
 d4050 2c342c55 45464920 7368696d 2c736869  ,4,UEFI shim,shi
 d4060 6d2c312c 68747470 733a2f2f 67697468  m,1,https://gith
 d4070 75622e63 6f6d2f72 68626f6f 742f7368  ub.com/rhboot/sh
 d4080 696d0a73 68696d2e 64656269 616e2c31  im.shim.debian,1
 d4090 2c446562 69616e2c 7368696d 2c31352e  ,Debian,shim,15.
 d40a0 382c6874 7470733a 2f2f7472 61636b65  8,https://tracke
 d40b0 722e6465 6269616e 2e6f7267 2f706b67  r.debian.org/pkg
 d40c0 2f736869 6d0a                        /shim.  

Only as text, the contents of the .sbat section of shimx64.efi are:

Code: Select all

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.debian,1,Debian,shim,15.8,https://tracker.debian.org/pkg/shim

Therefore. the "component generation" of the shim-signed from bookworm-proposed-updates (version 1.44~1+deb12u1+15.8-1~deb12u1 amd64) has a "component generation" 4 that is equal to the minimum accepted in the "SBAT level variable" (see above).

So the UEFI firmware should allow this shim version to boot.

To install the latest version of shim for Debian Bookworm, you need to configure the bookworm-proposed-updates adding the following line to /etc/apt/sources.list

Code: Select all

deb http://deb.debian.org/debian/ bookworm-proposed-updates main 

Then, you need to update the OS:

Code: Select all

sudo apt update
sudo apt upgrade

Hope this helps.

----
[1] shim / SbatLevel_Variable.txt
[2] UEFI shim bootloader secure boot life-cycle improvements

[djfrogster3000]

Has anybody yet tried

Code: Select all

sudo mokutil --set-sbat-policy delete

on Debian?

It was suggested as a solution on Ubuntu.

Will there be an updated GRUB or Debian Package that will automatically fix the problem?

I would like to re-enable secure boot in BIOS again.

Yes, that solution fixed my problem. I can now dual boot Windows 10 and Debian 12 with secure boot enabled.

[mm3100]

Adding bookworm-proposed-updates and updating all fixed the issue. Was able to start system normally with secure boot turned on, thanks a lot!

Did removed bookworm-proposed-updates line after it, don't need it normally.

[Aki]

Adding bookworm-proposed-updates and updating all fixed the issue. Was able to start system normally with secure boot turned on, thanks a lot!

Did removed bookworm-proposed-updates line after it, don't need it normally.

I'm glad you sorted it out. :)

Happy Debian ! :)

[IT-Nerd]

Thank you very much Aki for the detailed explanation. Is the proposed update coming eventually to Debian 12 Bookworm? Should someone expect a release on the main channel in near future? There was also a problem with the Nvidia drivers couple of months ago which took weeks to be applied from proposed to normal updates.

[TylerD75]

Has there been any news about shim or grub update that will fix the issue?

According to:

• Debian Bug report logs - #1078956
  Debian 12 unable to boot after Secure Boot SBAT blacklist update :

  Fix:
  The package shim-signed (shim-signed 1.44~1+deb12u1) from bookworm-
  proposed-updates solves the issue.

Thanks for this info. I added the proposed-updates repository, and installed the latest shim-signed 1.44 (and updated grub2 as well).
I then enabled SecureBoot, and everything is working great!

[RenataTa]

Unfortunelly, still not working for me.
I put on terminal to see if the update and upgrade was donne accordilly and I got this:

Code: Select all

 apt -a list shim-signed
Listing... Pronto
shim-signed/proposed-updates,now 1.44~1+deb12u1+15.8-1~deb12u1 amd64 [installed]
shim-signed/stable 1.39+15.7-1 amd64

shim-signed/proposed-updates 1.44~1+deb12u1+15.8-1~deb12u1 i386
shim-signed/stable 1.39+15.7-1 i386

So, it seems that it worked the update, but when unable secure boot I still receive same msg. I am trying to reinstall grub and wait for more 2 boots, sometimes this computer only works after a while.
But i really thank you very much Aki for help!

[Aki]

Hello @IT-Nerd,

Thank you very much Aki for the detailed explanation. Is the proposed update coming eventually to Debian 12 Bookworm? Should someone expect a release on the main channel in near future? There was also a problem with the Nvidia drivers couple of months ago which took weeks to be applied from proposed to normal updates.

I'm glad it was helpful.

As reported here [1]:

Preparation of point releases is done through the "proposed-updates" mechanism. Updated packages are uploaded to a separate queue called p-u-new (o-p-u-new), before they are accepted in "proposed-updates".

So the updated shim package will be included in the next Debian Stable (Bookworm) point releases (unless a blocking bug report is posted).

----
[1] The "proposed-updates" mechanism

[Aki]

Hello @RenataTa,

Unfortunelly, still not working for me.
[..]
So, it seems that it worked the update, but when unable secure boot I still receive same msg. I am trying to reinstall grub and wait for more 2 boots, sometimes this computer only works after a while.
But i really thank you very much Aki for help!

Is the error message exactly the following ?

Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Do you have more than one Linux distribution installed on your computer and/or more than one hard disk ?

[kevlar7007]

To save me disabling secure boot to do some maintenance whilst root was unmounted I booted Debian-12.7 live KDE desktop image on a Devuan system (Bookworm 12).

To my surprise it has had the exact same affect as the Windows update. I guess I now need to wait for the Debian update to my main OS too. I guess Debian should update the shim in the repos before the .iso?

[Aki]

Hello,

To save me disabling secure boot to do some maintenance whilst root was unmounted I booted Debian-12.7 live KDE desktop image on a Devuan system (Bookworm 12).

To my surprise it has had the exact same affect as the Windows update. I guess I now need to wait for the Debian update to my main OS too. I guess Debian should update the shim in the repos before the .iso?

As far as I know, the Debian Live ISO does not change anything in the system it is booted from. Unless you have done something else.

[kevlar7007]

Hello,

To save me disabling secure boot to do some maintenance whilst root was unmounted I booted Debian-12.7 live KDE desktop image on a Devuan system (Bookworm 12).

To my surprise it has had the exact same affect as the Windows update. I guess I now need to wait for the Debian update to my main OS too. I guess Debian should update the shim in the repos before the .iso?

As far as I know, the Debian Live ISO does not change anything in the system it is booted from. Unless you have done something else.

I clicked my encrypted drive in Dolphin and entered my password. Then dropped to the console and did ls /dev/mapper then shutdown - h now.

My guess is that a shim carries revocations that updated my local list as it was signed correctly which is pretty cool but problematic, if you have multiple boot systems like isos or multiple Linux. I only have Devuan installed so I shall just disable secure boot for booting recovery disks in future. Though I guess it shouldn't happen too often.

mokutil --list-sbat-revocations
gives
sbat,1,2024010900
shim,4
grub,3
grub.debian,4

[IT-Nerd]

I am happy to report that Debian 12.7 has solved the issue. On an affected system perform:

Code: Select all

apt update && apt upgrade

Good guy Debian.

[phaedral]

7:38 pm UTC -7 Los Angeles, I'm getting "...invalid for another 5h..." when I try apt update && apt upgrade.

To get that far I turned off fast boot and secure boot, which let me boot into my debian partition. Once booted I saw I had not done an update in aptitude for a while. I usually check for updates when I log in, guess I'll get back to that habit.

Created an account mostly so I could say thank you to the good folks here who make it possible for the rest of us to get things done. Very much obliged.

Is there really any reason to turn fast boot and secure boot back on?

[RenataTa]

Hello @RenataTa,

Is the error message exactly the following ?

Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Do you have more than one Linux distribution installed on your computer and/or more than one hard disk ?

Hello Aki,
sorry for taking so long to answer. Yes, the msg is the same, verifying shim SBAT data failed: Security Policy violation
I dont have any other distro in this computer. I thought first it was some grub problem with the hardware because once i did install zorin and i was unable to use dual boot. Then i cleaned all ssd partitons including the one where zorin was and install Debian. So all grub problems disappeared till that change made by Windows. I have disable the secure boot, thats how things are working so far. Maybe in a couple months I try to reinstall again. but install debian in the HD.