GRUB Update Gone Wrong: Microsoft Fix Breaks Linux Boot
Last week, numerous Linux users encountered a serious issue: their devices failed to boot after an update released by Microsoft as part of Patch Tuesday. Instead of the system starting normally, an error message was displayed.
The problem was caused by a bug in the update that aimed to fix a two-year-old vulnerability in GRUB—the bootloader used by many Linux devices.
The vulnerability, CVE-2022-2601 (CVSS score: 8.6), allowed attackers to bypass Secure Boot—a security standard that ensures devices do not load malicious software or firmware during startup. The vulnerability was discovered in 2022, but for reasons unknown, Microsoft has only now addressed it.
The update affected dual-boot devices, which have both Windows and Linux installed. When attempting to boot into Linux, users encountered the message: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
Support and discussion forums quickly filled with reports of the issue [1,2,3]. Users noted that despite Microsoft’s assurances, the update indeed impacted dual-boot systems. According to users, the error is linked to an incompatibility between certain versions of the Linux bootloader and Microsoft’s new EFI microcode. Affected distributions included popular ones such as Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux.
Microsoft has yet to publicly acknowledge the existence of the bug, explain why it wasn’t detected during testing, or provide technical guidance for affected users. In the CVE-2022-2601 bulletin, Microsoft assured that the update would install SBAT—a Linux mechanism for revoking various components in the boot chain—only on devices running exclusively on Windows. The update was not supposed to affect dual-boot systems. However, in practice, this turned out not to be the case, leading to widespread user frustration.
Some users have found a temporary solution to the problem—disabling Secure Boot through the EFI panel. However, this method may be unacceptable for those who require the protection provided by Secure Boot. Another option is to remove the SBAT policy implemented by Microsoft.
Specific steps:
1. Disable Secure Boot;
2. Log in as an Ubuntu user and open the terminal;
3. Remove the SBAT policy using: `sudo mokutil –set-sbat-policy delete`
4. Restart the computer and log back into Ubuntu to update the SBAT policy;
5. Reboot the computer, then re-enable Secure Boot in the BIOS.
These actions allow users to retain some of the benefits of Secure Boot, even if they remain vulnerable to certain attacks.
