Will DormannAug 20, 2024

Microsoft pushed out an SBAT update to protect against CVE-2022-2601 in August.

If you try to boot the current Debian or Ubuntu ISO (12.6.0 and 24.04, respectively) on a system that got Windows August 2024 updates, the system won't boot due to an SBAT security policy violation. ("Verifiying shim SBAT data failed: Security Policy Violation ")

Both Ubuntu
https://ubuntu.com/security/CVE-2022-2601
and Debian
https://security-tracker.debian.org/tracker/CVE-2022-2601
claim to have released fixes for CVE-2022-2601, though. 🤔

Everything SecureBoot seems to be some combination of YOLO and wishful thinking.

CVE-2022-2601 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

Ubuntu
Show threadWill DormannAug 20, 2024

Per Microsoft, "You might find that older Linux distribution ISOs will not boot."

I guess their definition of "older Linux distribution ISOs" includes the current Ubuntu and Debian ISOs.

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-2601

Security Update Guide - Microsoft Security Response Center

Show threadWill DormannAug 21, 2024

While Microsoft claims "The SBAT value is not applied to dual-boot systems that boot both Windows and Linux", is this always true?

If I have a Windows system that I sometimes boot into Linux from a USB drive, will Windows Update be able to detect this? Of course not. What if I use some sort of other unexpected "dual boot" mechanism? Will Windows Update detect this? Maybe.

With the August Microsoft SBAT update, SecureBoot will fail to boot any EFI module that specifies anything less than shim,4

What does the Ubuntu 24.04 ISO specify?
shim,2

This is why the Ubuntu 24.04 (and others) ISO won't boot on a SecureBoot system that has the August SBAT updates that Microsoft pushed out.

Show threadWill DormannAug 21, 2024

Aside from those unfortunate souls who have a dual-boot system that both wasn't detected by Microsoft and also is out of date enough so that its boot bits are noncompliant, who else might be affected by this?

Ventoy will fail to work on a SecureBoot-enabled Windows system with August's updates. The current Ventoy doesn't have a "shim,4" compliant EFI bootloader.

You can fix this if you don't care to wait for Ventoy to fix this.
Or do what probably a lot of people do, which is disable SecureBoot and forget to ever turn it back on again.
https://github.com/ventoy/Ventoy/issues/2692#issuecomment-2031412234

[issue]: Booting Ventoy with Secure Boot support fails on Lenovo ThinkPad X280 · Issue #2692 · ventoy/Ventoy

Official FAQ I have checked the official FAQ. Ventoy Version 1.0.96 What about latest release Yes. I have tried the latest release, but the bug still exist. Try alternative boot mode No. I didn't t...

GitHub
Show threadJames_inthe_boxAug 21, 2024
@wdormann Been curious if it impacts duel boot system with different OS on different drives.
Show threadWill DormannAug 21, 2024

@james_inthe_box
I've been unable to reproduce the SBAT deployment, even with Linux on a separate disk. That is, in all of my testing, the August Microsoft update doesn't deploy the SBAT update if Linux is present in any way.

So I suppose that an affected party might have to volunteer some details of their config to have an idea of how it happens.

Show threadJames_inthe_boxAug 22, 2024
@wdormann Good info thanks...haven't seen it myself either sadly :(
Show threadWill DormannAug 22, 2024

@james_inthe_box
OK, I actually did just reproduce this. I think what threw me off was that I needed to go thorough a full boot-to-windows cycle and shutdown again after installing August's update to get the SBAT update installed.

I'll likely do further testing to determine a minimal testcase, but what triggered it in this particular case is:
1) Start with a Windows 11 system
2) Add a disk and install Ubuntu 22.04 to it.
3) Set UEFI default boot option to Windows
4) Install August's updates
5) Boot into Ubuntu (e.g. via UEFI)

Show threadWill DormannAug 22, 2024

@james_inthe_box
Actually, it just requires booting into Windows TWICE for the SBAT to be installed on a dual-boot system. 😂

https://infosec.exchange/@wdormann/113003321097252640

Will Dormann (@[email protected])

Attached: 1 image Back to Microsoft's "The SBAT value is not applied to dual-boot systems that boot both Windows and Linux" What causes the SBAT value to be installed? You boot into Windows TWICE after installing August's updates. That's it. Booting into Windows twice fails Microsoft's test of whether a system is a dual-boot system. 🤦‍♂️ If you've used Windows twice since installing August's updates, you lose the ability to SecureBoot into Linux if your distro has out-of-date signed Grub stuff. (e.g. Ubuntu 22.04) Here is a system that dual boots Windows 11 and fully-patched Ubuntu 22.04. If you boot into Windows twice, you lose the ability to SecureBoot into Ubuntu 22.04.

Infosec Exchange
Show threadJames_inthe_box
@wdormann Reboot 15 times for some things, twice for others....ya makes sense 
Aug 22, 2024 at 11:43amWeb