Secure boot problems with older Operating System media / dual boot systems with Microsoft Windows
This document (000021539) is provided subject to the disclaimer at the end of this document.
Environment
Applies to systems running a dual boot configuration only.
Situation
When booting a x86 system in secure boot mode, a text dialog reports:
"Secure Boot Violation: 1A"and stops the boot process.
Resolution
Due to the secure boot security model, the secure boot tooling has to stop older version of secure boot components from booting to not allow already fixed security bugs to be exploited. To do this, a UEFI variable called "SBATLevel" aka "SBAT policy" is set on the machine that blocks booting older versions of secure boot components.
The primary secure boot component affected is the so called "shim", and the most recent SBAT policy update blocks all "shim" versions before version 15.8 released in spring 2024.
Currently working:
- All flavor of SUSE Linux Enterprise operating systems under general support and maintenance and LTSS that are fully updated.
- openSUSE Tumbleweed, Leap and Leap Micro with all updates installed.
Also using the following boot media will work:
- SUSE Linux Enterprise 15 SP6 GA
- SUSE Linux Enterprise 15 SP5 Quarterly Update 4 or newer
- SUSE Linux Enterprise 15 SP4 Quarterly Update 4 or newer
- openSUSE Leap 15.6
Following boot media will NOT work in above update case:
- SUSE Linux Enterprise Server 15 SP5 QU 3 and older quarterly updates and service packs.
- SUSE Linux Enterprise Micro 5.x and 6.0.
- openSUSE Leap 15.5, Leap Micro 5.x and Leap Micro 6.0.
Workaround
How to workaround this problem:
- Disable Secure Boot temporarily.
This can usually be done in the BIOS of the system.
After that install the system, apply all updates, and re-enable Secure Boot.
- Remove or downgrade the SBAT policy temporarily.
Same as before, boot a system with Secure Boot disabled.
Then run in the system as root:
Please note that on the next secure boot based boot, the SBAT policy is reinstated and older versions will be blocked again.
The primary secure boot component affected is the so called "shim", and the most recent SBAT policy update blocks all "shim" versions before version 15.8 released in spring 2024.
Currently working:
- All flavor of SUSE Linux Enterprise operating systems under general support and maintenance and LTSS that are fully updated.
- openSUSE Tumbleweed, Leap and Leap Micro with all updates installed.
Also using the following boot media will work:
- SUSE Linux Enterprise 15 SP6 GA
- SUSE Linux Enterprise 15 SP5 Quarterly Update 4 or newer
- SUSE Linux Enterprise 15 SP4 Quarterly Update 4 or newer
- openSUSE Leap 15.6
Following boot media will NOT work in above update case:
- SUSE Linux Enterprise Server 15 SP5 QU 3 and older quarterly updates and service packs.
- SUSE Linux Enterprise Micro 5.x and 6.0.
- openSUSE Leap 15.5, Leap Micro 5.x and Leap Micro 6.0.
Workaround
How to workaround this problem:
- Disable Secure Boot temporarily.
This can usually be done in the BIOS of the system.
After that install the system, apply all updates, and re-enable Secure Boot.
- Remove or downgrade the SBAT policy temporarily.
Same as before, boot a system with Secure Boot disabled.
Then run in the system as root:
mokutil --set-sbat-policy deleteReboot and re-enable secure boot.
Please note that on the next secure boot based boot, the SBAT policy is reinstated and older versions will be blocked again.
Cause
There can be multiple reasons for this:
- A recently installed or a fully updated Linux operating system version and now an older or non updated
Linux OS version is about to get booted.
For instance, booting SUSE Linux Enterprise Server 15 SP5 GA medium on a machine where previously SUSE Linux
Enterprise Server 15 SP5 with all updates got installed.
This also happens while switching between SUSE and non-SUSE Linux OSes if one of those is fully updated.
- Installation or update of Microsoft Windows in August 2024 or later while running an older Linux OS version in dual boot.
- A recently installed or a fully updated Linux operating system version and now an older or non updated
Linux OS version is about to get booted.
For instance, booting SUSE Linux Enterprise Server 15 SP5 GA medium on a machine where previously SUSE Linux
Enterprise Server 15 SP5 with all updates got installed.
This also happens while switching between SUSE and non-SUSE Linux OSes if one of those is fully updated.
- Installation or update of Microsoft Windows in August 2024 or later while running an older Linux OS version in dual boot.
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021539
- Creation Date: 26-Aug-2024
- Modified Date:26-Aug-2024
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
