boot fails with with 'Verification failed: (0x1A) Security Violation'
This document (000021080) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP4
Situation
Trying to install SLES15 SP4 on systems with an existing OS, with shim version 15.7 or later, and UEFI secure boot enabled in the BIOS, booting fails with an error message 'Verification failed: (0x1A) Security Violation' on the console.
Resolution
Use the SLES15 SP4 latest Quarterly Update (QU3.1) ISO with a newer grub2/mokutil version to install SLES15 SP4 when the issue occurs.
These Quarterly Update ISOs contain all maintenance updates of the packages that have been released since the original OS ISO was shipped.
The QU (Quarterly Update) ISOs can be downloaded from the the regular SUSE Download page, and can be identified as quarterly update by their name. For example "SLE-15-SP4-Full-x86_64-QU3.1-Media1.iso".
To access the "QU" ISO, first click the "Account" link at the top of the SUSE Download page , then click "Login".
Then you will enter your SCC credentials. After authentication, scroll down the page to find the additional ISOs.
These Quarterly Update ISOs contain all maintenance updates of the packages that have been released since the original OS ISO was shipped.
The QU (Quarterly Update) ISOs can be downloaded from the the regular SUSE Download page, and can be identified as quarterly update by their name. For example "SLE-15-SP4-Full-x86_64-QU3.1-Media1.iso".
To access the "QU" ISO, first click the "Account" link at the top of the SUSE Download page , then click "Login".
Then you will enter your SCC credentials. After authentication, scroll down the page to find the additional ISOs.
Cause
The behavior is expected.
Shim version 15.7 or later blocks grub versions which have their .sbat section set to 1.
The scenario may occur when a security vulnerability is discovered.
For more information, please refer to UEFI shim bootloader secure boot life-cycle improvements [https://github.com/rhboot/shim/blob/main/SBAT.md ]
Shim version 15.7 or later blocks grub versions which have their .sbat section set to 1.
The scenario may occur when a security vulnerability is discovered.
For more information, please refer to UEFI shim bootloader secure boot life-cycle improvements [https://github.com/rhboot/shim/blob/main/SBAT.md ]
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021080
- Creation Date: 19-May-2023
- Modified Date:29-Jul-2024
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
