Verifying shim SBAT data failed: Security Policy Violation

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
itsmeacalling
Level 1
Level 1
Posts: 4
Joined: Fri Mar 10, 2023 1:45 pm

Verifying shim SBAT data failed: Security Policy Violation

Post by itsmeacalling »

Linux Mint 21.3 has been running well since being installed 27/05/2024 with Secure boot enabled. Today when I started the laptop I see the below message for a few seconds and then the laptop shuts down…

“Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation”

The only way I can get the laptop up and running is to disable Secure Boot

I have tried Timeshift to revert back to the original installation

I have tried sudo update-grub

I am dual booting Linux Mint 21.3 Virginia MATE / Windows 11 on a Dell Inspiron 15 3585 Laptop

Can anybody advise what's gone wrong and possible fix
Oktayey
Level 1
Level 1
Posts: 1
Joined: Wed Aug 14, 2024 3:03 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by Oktayey »

This just happened to me, suspiciously the day after Windows installed an update, so it isn't just you. I was able to boot by switching the Secure Boot mode in the BIOS from "Windows UEFI" to "Other OS". I don't know if that's a bad idea, but if it works for me, it works.
Reddog1
Level 8
Level 8
Posts: 2145
Joined: Wed Jun 01, 2011 2:12 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by Reddog1 »

Windows has gone wrong and it was yesterday's update.
[Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.
Note that Windows says this update won't apply to systems that dual-boot Windows and Linux. This obviously isn't true, and likely depends on your system configuration and the distribution being run. It appears to have made some linux efi shim bootloaders incompatible with microcrap efi bootloaders (that's why shifting from MS efi to 'other OS' in efi setup works.

It appears that Mint has a shim version that MS SBAT doesn't recognize --
work with your Linux vendor to get an updated ISO image
Lilithskitchen
Level 1
Level 1
Posts: 1
Joined: Thu Aug 15, 2024 2:25 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by Lilithskitchen »

Yeah it just happened now but what I don't understand is I made the Update yesterday and booted several times since then.
I booted this morning and it worked now I came back after breakfast and see this.
I changed the Bootloader to Windows after reading it's a bootloader issue and of course this one worked.
Why does windows interfere with grub anyway?
Mintymintymint
Level 1
Level 1
Posts: 1
Joined: Thu Aug 15, 2024 3:36 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by Mintymintymint »

Happened to me as well yesterday. Tried googling on what happened since it literally came out of blue but couldn't find any specific info. Thought the problem is on my end, so in the end came across the link that shows how to reset sbat and done it. https://en.opensuse.org/openSUSE:UEFI#R ... Leap_image

Are there any consequences in doing so?
itsmeacalling
Level 1
Level 1
Posts: 4
Joined: Fri Mar 10, 2023 1:45 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by itsmeacalling »

I put the UEFI back to Secure Boot “Enabled” and installed Linux Mint 22 “Wilma”. Now, so far the problem has not occurred. A bit drastic perhaps but Mint 22 seams to work quicker that 21.3.

Thanks all for the info provided
Reddog1
Level 8
Level 8
Posts: 2145
Joined: Wed Jun 01, 2011 2:12 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by Reddog1 »

Windows is now the arbiter of what bootloaders will be allowed to run on a secure boot system with windows installed. Only Microsoft approved loaders will be allowed, and Windows can change the allowed shims at will. It's going to be impossible to keep up.
manutheeng
Level 1
Level 1
Posts: 1
Joined: Thu Aug 15, 2024 11:28 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by manutheeng »

Hello,

Thanks a lot for posting this. It happened the same to me in my dual boot with Ubuntu 22 and Win10.

What worked for me was to follow the instructions in: https://discourse.ubuntu.com/t/sbat-rev ... cess/34996

In case this can help anyone, here is what worked for me:

1. Disable Secure Boot
2. Log into your Ubuntu user and open a terminal
3. Delete the SBAT policy with:

Code: Select all

 sudo mokutil --set-sbat-policy delete 
4. Reboot your PC and log back into Ubuntu to update the SBAT policy
5. Reboot and then re-enable secure boot in your BIOS.

Sorry if this is off topic since its related to Ubuntu and not Mint. I just wanted to put what worked for me on the top link that appeared when I searched online.

I hope this helps!
kgrach
Level 1
Level 1
Posts: 13
Joined: Mon Sep 30, 2019 1:24 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by kgrach »

Same thing Just happened to me.
I will look into it when I have more time.
Just relieved it's not a virus.
It's been a few years since I last clean installed windows and mint and had a few hardware changes in the meantime.
So guess it's time.
I had gotten everything installed so nice and didn't want that much work or downtime on my PC.
Sigh well at least I might upgrade my drives.
seeauser7
Level 1
Level 1
Posts: 1
Joined: Thu Aug 15, 2024 12:48 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by seeauser7 »

Here is a possible solution

After the last Win 11 update, I had the same problem on my dual-boot system (Mint 21.3 + Win 11, each on individual SSDs).

The message: ‘Verifying shim SBAT data failed: Security policy violation
Something went seriously wrong: SBAT self-test failed: Security Policy Violation' appears and the PC shuts down immediately.

I therefore wanted to install Mint 22 (Wilma), as Mint 21.3 was still in a ‘test phase’ as a replacement for Windows anyway.

My solution was as follows:
- Create a boot stick with Mint 22 (on another PC)
- Start the PC from the boot stick (boot menu with F12 or similar, depending on the motherboard manufacturer)
- Only start Mint 22 from the USB stick, do not install it
- Exit Mint 22 again, remove the USB stick, re-sat and boot from the HD/SSD
- The Linux boot menu then appears as usual and you can start Mint 21.3 or Win 11
luizamariaschwinn
Level 1
Level 1
Posts: 1
Joined: Fri Aug 16, 2024 7:07 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by luizamariaschwinn »

Oktayey wrote: Wed Aug 14, 2024 3:07 pm This just happened to me, suspiciously the day after Windows installed an update, so it isn't just you. I was able to boot by switching the Secure Boot mode in the BIOS from "Windows UEFI" to "Other OS". I don't know if that's a bad idea, but if it works for me, it works.
What commands to use to find this Secure Boot mode and change from "Windows UEFI" to "Other OS" ??
kgrach
Level 1
Level 1
Posts: 13
Joined: Mon Sep 30, 2019 1:24 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by kgrach »

luizamariaschwinn wrote: Fri Aug 16, 2024 7:11 am
Oktayey wrote: Wed Aug 14, 2024 3:07 pm This just happened to me, suspiciously the day after Windows installed an update, so it isn't just you. I was able to boot by switching the Secure Boot mode in the BIOS from "Windows UEFI" to "Other OS". I don't know if that's a bad idea, but if it works for me, it works.
What commands to use to find this Secure Boot mode and change from "Windows UEFI" to "Other OS" ??
Spam delete key on startup and enter UEFI "BIOS" and go to the security settings turn off secure boot save and exit.
Don't know your system if you give more info I can give specifics
kgrach
Level 1
Level 1
Posts: 13
Joined: Mon Sep 30, 2019 1:24 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by kgrach »

Update
I tried booting from a Mint USB stick, but the system wouldn't boot.
So I reset the security keys db in UEFI, and I was able to boot from a Mint USB stick afterward. After rebooting the system, I could run Linux Mint 21.3 Virginia normally again.

Even though I have everything working normally.
I have backed up everything onto a new NVME drive and I've decided to wipe all systems and re-arrange the system drives now anyway.

I hope this helps people
Turning off secure boot is a temporary fix to get into system.
Resetting the security Key db in UEFI "BIOS" seemed to fix my problems or the booting into a Mint USB stick as previously reported.

I will be back if anyone has questions I can help with, after I reinstall windows 11 and then Mint 22
MartiansMint
Level 1
Level 1
Posts: 1
Joined: Fri Aug 16, 2024 1:58 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by MartiansMint »

Hello, @manutheeng

Recently I had the same issue with my dual boot(Mint/Win) after the OS reboot from the following Windows updates:
  • august-13-2024-kb5042352-cumulative update for net framework-3-5-4-8-and-4-8-1-for-windows-10-version-22h2
  • august-13-2024-kb5041580-os-builds-19044-4780-and-19045-4780
Your simple solution worked perfect to me! 8)

Thank you very much!
manutheeng wrote: Thu Aug 15, 2024 11:35 am 1. Disable Secure Boot
2. Log into your Ubuntu user and open a terminal
3. Delete the SBAT policy with:

Code: Select all

 sudo mokutil --set-sbat-policy delete 
4. Reboot your PC and log back into Ubuntu to update the SBAT policy
5. Reboot and then re-enable secure boot in your BIOS.
Last edited by karlchen on Mon Aug 19, 2024 5:18 am, edited 1 time in total.
Reason: shortened full post quote to the relevant steps
Martian's Mint
avinals
Level 1
Level 1
Posts: 1
Joined: Sat Aug 17, 2024 1:46 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by avinals »

Hi there. My computer turns off after show that message. How can I access to GRUBs command line?
tarisyah
Level 1
Level 1
Posts: 1
Joined: Sat Aug 17, 2024 10:15 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by tarisyah »

avinals wrote: Sat Aug 17, 2024 1:55 amMy computer turns off after show that message. How can I access to GRUBs command line?
If your computer is turning off immediately after the message, you can access the grub's by clicking esc and F10 repeatedly. It's works for my laptop HP
Last edited by SMG on Sat Aug 17, 2024 10:24 am, edited 1 time in total.
Reason: Added quote tags to indicate the response is answering a question someone asked.
thcompsci
Level 1
Level 1
Posts: 1
Joined: Sat Aug 17, 2024 5:21 pm
Location: San Antonio Texas

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by thcompsci »

I was getting this error message too. I installed mint several days ago, was using with no issues. I frequently would shut down my laptop at light then turn it back on no problem. I booted into windows 11 and it started a random un-cancellable update. The update took 15 minutes on a gigabit fiber connection which I thought was strange because usually the updates only take like 3 minutes. I use the windows then decide to boot into linux mint and it boots with a broken gui. My window manager which is the default one for LDME made everything super tiny. I restarted my system and still everything was super tiny. I restarted it again and then I got the SBAT Security Policy Violation error.

All this started happening as soon as the windows did its surprise update.
I did what all of you talked about in this forum and I went into my bios and disabled secure boot as well as fast boot. I am using a new asus laptop which is not very linux friendly but this worked for me.

My conspiracy theory is that microsoft intentionally rolled out a windows update to mess with linux users that are dual booting but I have no proof obviously.
buzzears
Level 3
Level 3
Posts: 139
Joined: Tue Sep 20, 2016 4:11 am
Location: United Kingdom

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by buzzears »

What worked for me was to change Option 1 from Linux Mint to Windows, and Option 2 is now Linux Mint. As soon as I did that and then came out of safe mode, the PC started up as normal with Windows. Fingers crossed it will continue to do so.

I am using a Dell PC and to get into safe mode after the message about something going seriously wrong (as written out by seeauser7) (after which the PC was switching itself off), I hit the F8 key repeatedly as soon as the PC was turning on and before that message appeared. That brought up 'Dell' on the screen, along with two choices: F2 and another key (I forget which), and I chose F2. From there, I selected 'Boot', and then changed the options.

Edit: The change I made means that the screen where you choose which system you want to use does not appear before start-up. It just opens up Windows straight away. This is fine for me, as I was having issues with Linux and hadn't been using it anyway.

Maybe this info will help someone else.
brunei62
Level 1
Level 1
Posts: 1
Joined: Sun Aug 18, 2024 11:30 pm

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by brunei62 »

This worked like a gem for me. Thank you guys. Cheers from Brazil
manutheeng wrote: Thu Aug 15, 2024 11:35 am 1. Disable Secure Boot
2. Log into your Ubuntu user and open a terminal
3. Delete the SBAT policy with:

Code: Select all

 sudo mokutil --set-sbat-policy delete 
4. Reboot your PC and log back into Ubuntu to update the SBAT policy
5. Reboot and then re-enable secure boot in your BIOS.
Last edited by karlchen on Mon Aug 19, 2024 5:18 am, edited 1 time in total.
Reason: shortened full post quote to the relevant steps
ekulz
Level 1
Level 1
Posts: 2
Joined: Mon Aug 19, 2024 4:38 am

Re: Verifying shim SBAT data failed: Security Policy Violation

Post by ekulz »

manutheeng wrote: Thu Aug 15, 2024 11:35 am In case this can help anyone, here is what worked for me:
1. Disable Secure Boot
2. Log into your Ubuntu user and open a terminal
3. Delete the SBAT policy with:

Code: Select all

 sudo mokutil --set-sbat-policy delete 
4. Reboot your PC and log back into Ubuntu to update the SBAT policy
5. Reboot and then re-enable secure boot in your BIOS.
Thanks for this. It didn't work for me, but I realised I was still using Mint 20.2. I upgraded to 20.3, and then immediately upgraded to 21.

The 21 upgrade had some issues with missing libcrypto.so.1.1 in the logs (/var/log/apt/term.log). Installed it manually and immediately continued and finished the Mint upgrade.

After rebooting I followed the steps again and can now boot Windows with Secure Boot. Thanks!
Last edited by karlchen on Mon Aug 19, 2024 5:19 am, edited 1 time in total.
Reason: shortened full post quote to the relevant steps
Post Reply

Return to “Installation & Boot”