A HP Z4 G4 had:
- Secure boot enabled
- Windows 11 home installed on a NVMe
- AlmaLinux 8.10 installed on a SATA HDD
- Grub from AlmaLinux used, where defaults to booting AlmaLinux but can select the Windows boot manager from the grub menu
- A write protected SD card to test booting Linux live images, selected by manually entering the BIOS boot menu
Following Windows 11 updates on 31 Aug 2024 (didn't make a note of the updates) found the AlmaLinux 9.3 live image would no longer boot. The following message was reported for a few seconds, before the PC powered off:
Verifying shim SBAT data failed: Security Policy Violation.
SBAT self-check failed: Mitigating the impact of shim 15.7 revocation on the Ubuntu boot process for devices running Windows was found linked from Microsoft Windows update may break linux dual boot
Updating to AlmaLinux 9.4 live image then allowed the live image to boot. In the live image:
liveuser@localhost-live:~$ mokutil --sb-state
SecureBoot enabled
liveuser@localhost-live:~$ mokutil --list-sbat-revocations
sbat,1,2024010900
shim,4
grub,3
grub.debian,4
AlmaLinux 8.10 installed on a HDD still booted following the Windows update which stopped the AlmaLinux 9.3 live image booting.
The mokutil
installed from mokutil-1:0.3.0-12.el8.x86_64
doesn't support the mokutil-1:0.3.0-12.el8.x86_64
option.
The /boot/efi/EFI/almalinux/shimx64.efi
has been installed from shim-x64
version 15.8
. This is later than the version 15.7 which the Ubuntu article referenced above says was revocated.
Looking at the yum history:
- shim-x64-15.6-1.el8.alma.1.x86_64 installed on Sat 20 May 2023
- shim-x64-15.8-4.el8_9.alma.2.x86_64 installed on Fri 16 Aug 2024
In Ubuntu:
mr_halfword@Haswell-Ubuntu:~$ mokutil --sb-state
SecureBoot enabled
mr_halfword@Haswell-Ubuntu:~$ mokutil --list-sbat-revocations
sbat,1,2023012900
shim,2
grub,3
grub.debian,4