Right. I think you will be fine.
Anything can go wrong. Thus infamous host erlangen runs with secure boot turned off.
BTW: Michael Kofler says:
Secure Boot is intended to prevent malware from being loaded during the boot process which subsequently evades all further security measures, such as virus scanners. Such attacks have hardly ever occurred in recent decades, not under Windows, and certainly not under Linux. To put it succinctly Secure Boot protects you from a danger that does not exist.
The security problems that have plagued Windows and occasionally Linux in recent years have all been errors in individual application programs - be it in Internet Explorer or the Apache web server. These problems will probably continue to exist. Secure Boot does not change this.
After some testing came up with a workaround. Only update manually as this is going to break secure boot every time. Follow the instructions loosely, as every bios is different.
Go into BIOS and under secure boot, change from standard to custom, click key management and delete the PK key… this will put the Secure Boot Mode back into Setup. This allowed me to boot
I have a question, was it the last shim update from a couple of days ago that stuffed up your boot manager?
After the first shim update beginning of April I had to boot up my laptop (HP) with ESC and the boot manager. My desktop has been booting fine after the first shim update. The second shim update seems to have fixed the laptop, it starts up again by itself. But after reading your post I’d like to be sure that the second shim update won’t stuff up my desktop. So my question is, did your workaround refer to the first or the second shim update?
Please excuse me if this is a stupid question, but I’m a beginner with Linux, have been thrown in at the deep end.
The shim update that caused problems for some people was at the end of March. Checking my history, I see that update at March 30th here.
Yes, there’s a new shim update waiting for me to install. I’ll do that tomorrow (I only update once per week). Looking at the information provided with that update, it seems to only be changing “shim-install”, so it shouldn’t be a problem. But then I haven’t actually installed it yet.
The update probably will reinstall the bootloader, which might change your boot order. I don’t know whether it will run the command:
mokutil --set-sbat-policy latest
but if it does, that will cause problems here.
I hope that answer helps.
1 Like
It was three fresh installs =/
First boot was fine. It didn’t happen until I updated. Third time I was mucking around with secure boot keys when I decided to try deleting the PK key.
I am having this problem with my laptop only, opensuse tumbleweed works fine on my desktop, but on my laptop I am getting that error from the USB drive, I first noticed it when I tried to use Universal-USB-Installer-2.0.1.9 and load a USB iso images onto it, but also from openSUSE-Tumbleweed-GNOME-Live-x86_64-Snapshot20231001-Media and openSUSE-Tumbleweed-KDE-Live-x86_64-Snapshot20231001-Media , I think if I recall the DVD tumbleweed image is doing the same thing, whatever broke with secure boot doesn’t seem to effect windows 11 or fedora 38 and fedora 39 live images all of them including ubuntu 23.10 and kubuntu 23.10 are still working, its only opensuse that seems to be getting
verifying shim SBAT something has gone seriously wrong: sbat self-check failed: security policy Visitation.
type message
my laptop is a ASUS Republic of Gamer laptop model GL702VSK and rufus and openSUSE-Leap-15.5-KDE-Live-x86_64-Build10.117-Media is working, but I am getting problems with the live images of tumbleweed geting that works if I turn secure boot off but I would prefer to keep it on, I don’t remember or need to recheck if the opensuse tumbleweed MicroOS dvd image is effect or not by this problem, I will test it but wanted to ask if any progress into fixing this problem has yet happened again its effecting both opensuse and this below, again I don’t know if the problem happened before I tried to use this Universal USB installer works fine with the rest of my older laptops, and my older desktop pc, my ASUS laptop is only thing being hit with this problem this week.
Universal USB Installer - Boot from USB ▷ Bootable Maker (pendrivelinux.com)
Also this problem is not affect Fedora 39 beta Silverblue and Kinoite builds I been able to run them on the laptop without the shim SBAT problem. and the debian based ones like kubuntu work and all the other spins, I am only having this problem with that app on windows and opensuse itself for some of the newer versions like tumbeweed. if I use either rufus or Fedora Media Writer for my USB with fedora or others besides opensuse that still doesn’t work even with its app on windows for the images. I noticed that leap 15.5 is not affected by this bug, I have not tested leap 15.6 yet, but I will. if theirs a fix for this problem, I have not to figure it out, again I am not sure opensuse caused it or if the Universal USB installer did, I am using two USB drives for my linux distro installs at this time, and I don’t burn DVD-R of linux anymore so I can’t test that, plus my new laptop doesn’t have a DVD drive built into it anyway.
openSUSE-Tumbleweed-KDE-Live-x86_64-Snapshot20231001-Media and openSUSE-Tumbleweed-GNOME-Live-x86_64-Snapshot20231001-Media I think have this problem I know kde plasma build is getting verifying shim SBAT with rufus software for sure.
I can confirm that these items including Tumbleweed net install and MicroOS Containerhost selfinstall is being affected the shim bug, again its not effecting current kubuntu 23.10 or debian 12 live gnome and kde images.
Verifying shim SBOT: Security Violation Failure
Something went terribly wrong [...]
- Below, these can only run on ASUS Republic of Gamers laptop model GL702VSK, if secure boot is disabled, still working with secure boot on is all fedora, ubuntu, and current Debian releases.
1.openSUSE-Tumbleweed-NET-x86_64-Snapshot20231006-Media
- openSUSE-MicroOS.x86_64-ContainerHost-SelfInstall
also, the Linux distro one’s effected by this if you turn secure boot back on, causes it to get the shim SBOT bug and it causes the laptop to shutdown plus it powers off the laptop.
still windows 10 and windows 11 are not affected and this laptop last had a firmware bios update in 2019, and no you can’t disable TPM on it, only turn off secure boot from bios, clear TPM can only be done from windows 11 or 10 but doesn’t fix this problem.
Your simplest “solution” will be to keep secure-boot disabled for now.
The basic problem here is that the “shim” from Tumbleweed is older than the “shim” from Leap 15.5 (or 15.6). The newer shim uses stricter standards, and once those are being enforced you cannot boot Tumbleweed with secure-boot enabled. This is going to be a problem until Tumbleweed provides us with a newer “shim”.
besides opensuse this problem is also effecting Universal USB Installer - Boot from USB ▷
it will only work now if secure boot is disabled. But I don’t know what Fedora is using but shim is not affected on any fedora versions the spins work and the Silverblue also work with secure boot on, Fedora doesn’t get that TPM error I don’t know if its related to this for whatever reason these firmware bug errors below are in opensuse and ubuntu and debian but not fedora,
tpm_crb MSFT0101:00: [Firmware bug]: ACPI region does not cover the entire command.response bugger. [mem 0fed4000-0xfed4087f flags vs fed40080 f80
this repeats twice in the kernel start on only opensuse leap and tumbleweed and MicroOS and debian based linux distros
This problem does not show up in Fedora but that one has some other problems with the display when it has the splash screen on this laptop model, so its like one bug or another running either linux distro.
and these two also show up in the linux kernel only on opensuse leap 15 and tumbleweed, debian and ubuntu linux distro’s
SGX disabled by BIOS.
Now I know I can edit grub and add in rmmod tpm which would remove that tpm_crb thing, but the two other error I am not sure can be removed by a setting in grub that I know of.
the other thing I seen in Opensuse leap is
Device booted in 11739 usecs
***Bluetooth: hci0: Malformed MSFT vendor event: 0x02***
found Intel DDC parameters completed
firmware revision 0.0 build 14 week 44 2021
MGMT ver 1.22
its in red under dmesg but I read online that even thought these on in red they don’t effect the linux distro??
I don’t think it has anything to do with shim but it does only show up on three linux distro types, ubuntu , debian and opensuse, but fedora and arch linux based distros don’t have these kernel error,
I used garuda-dr460nized arch based and manjaro kde builds if I recall the arch linux doesn’t get the kernel bootup error like opensuse does. also since they only work with secure boot off, I don’t know or think they are affected by shim yet, but fedora works with secure boot on still and is not affected by this shim problem that opensuse seems to have. which is related to the problem reported below.
from that link above this post, that show these commands, will it also fix tumbleweed or Tumbleweed MicroOS to work on laptop with secure boot on again, or is this just for opensuse leap the infomation that was included on that other page about this problem to do with shim?
> # Check secure boot state:
> localhost:~ # mokutil --sb
> SecureBoot disabled
>
> # Check current SBAT string in SbatLevelRT variable. Default is "latest"
> mode as following:
> localhost:~ # mokutil --list-sbat-revocations
> sbat,1,2022111500
> shim,2
> grub,3
>
> # Run mokutil to set SBAT policy to "delete"
> localhost:~ # mokutil --set-sbat-policy delete
>
> # You can hexdump SbatPolicy efi variable to confirm, the command 3 be
> written to SbatPolicy variable
> localhost:~ # hexdump
> /sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
> 0000000 0007 0000 0003
> 0000005
>
> - Reboot to Leap 15.5, which means booting to shim 15.7. The shim 15.7 will
> take the delete mission and reset SbatLevelRT variable to "original" mode.
>
> Note:
> Please do NOT reboot to Leap 15.4 (which means you boot to shim 15.4). The
> old shim 15.4 does NOT support "--set-sbat-policy" command for resetting
> SbatLevelRT. The mokuil delete command will be ignored by shim 15.4.
>
> - Now you still boot to Leap 15.5, run mokutil command in terminal to
> confirm that the SBAT string be changed to "original" mode (aka. delete):
>
> localhost:~ # mokutil --list-sbat-revocations
> sbat,1,2021030218
>
it now shows this from in opensuse leap 15.6, will this fix allow me to bootup the MicroOS snapshots again or normal tumbleweed rolling builds on my laptop again? with secure boot on?
mokutil --list-sbat-revocations
sbat,1,2021030218
Yes, that should work. I have used it here with Tumbleweed and MicroOS.
1 Like
only worked for the tumbweed live kde.iso image on USB drive , I didn’t try live gnome image, but the tumbleweed DVD installer image is broken with this message , also its affecting my older gigabyte desktop since I tried opensuse leap 15.6 on it, that shim SBOT really messed it up for being able to run opensuse tembleweed’s dvd installer images
can’t run openSUSE-Tumbleweed-DVD-x86_64-Snapshot20231003-Media but openSUSE-Tumbleweed-KDE-Live-x86_64-Snapshot20231001-Media works from that console fix when in opensuse leap 15.6 build.
image is from USB drive with Tumbleweed DVD snapshot, I tried using rufus with DD mode and Fedora Media Writer, rufus ISO mode was not working, and it will not even boot from Universal-USB-Installer-2.0.1.9
image of my opensuse file names collected to my external hard drive
These all the ISO images of openSUSE that I have downloaded and put on my external hard drive as backups for installing Linux distros , also have a few ubuntu, Debian and fedora images download but again this problem is mainly affecting openSUSE itself. at this point.
You should not be getting that. But I don’t really know what you did.
This is a different problem from the “SBAT” issue that started this thread. In this case, the problem seems to be in recognizing the kernel signature.
If you are booting with the “shim” from Leap, I would expect this problem. The “shim” from Leap cannot recognize a normal Tumbleweed kernel. But if you are booting with the “shim” from Tumbleweed, you should not be seeing this.
I was not booting shim from leap, that image is of “openSUSE-Tumbleweed-DVD-x86_64-Snapshot20231003-Media” I was having problems getting it running from rufus, so I tried using Fedora Media Writer, but that bad shim signature is from tumbleweed snapshot after fixing that error that didn’t allow me to boot tumbleweed live kde iso image on desktop pc, problem with using opensuse leap 15.6 on both pc’s needed localhost:~ # mokutil --set-sbat-policy delete fix from secrueboot disabled mode.
I try the iso to USB mode again in rufus 4.2 software is from the ISO image mode and not DD image mode that I have backup to my external HD drive, that’s a screenshot I took with my android tablets camera its the getting a error from shim within the tumbleweed iso image, itself, so maybe either something wrong with that iso image, or I didn’t transfer it right way in windows 11 to my USB boot drive, I have no problems booting kubuntu 23.10 or ubuntu and my Fedora-KDE-Live-x86_64-39_Beta-1.1 image works fine from the drive, its only that one iso so far that I noticed is having a problem.
I will try balenaEtcher software again, maybe its a problem with rufus I used DD mode but I don’t think that worked correct I don’t recall, I am looking at its page here,
SDB:Create a Live USB stick using Windows - openSUSE Wiki
nope I just tried using balenaEtcher still getting this error below, either its some leap 15.6 thing, or the ISO image itself is bad. I don’t know at this point, I am pretty sure if I turn off secure boot the image will work and install but I don’t know is if it does install I don’t know if grub2 will work with secure boot on afterwards, I think its still related to the problem leap causes by the way my desktop ran leap on that got that
Verifying shim SBOT: Security Violation Failure
Something went terribly wrong […]
error on this gigabyte desktop has only secure boot , it doesn’t have a TPM device at all in the desktop model is. this one, below
G1.Assassin 2 (rev. 1.0) Support | Motherboard - GIGABYTE Global
I also own a Z690 AORUS master but I am not currently running linux on it, just windows so I using that z690 to transfer these linux iso image to my USB drive then booting them to my laptop and my older desktop pc.
not all linux distro have power settings for when you close your laptop’s monitor down, which is a setting in opensuse which I like, I don’t recall if kubuntu has it, or fedora, I know some of the power settings are not the same in all the linux distro’s. its something opensuse tumbleweed and leap have. anyway, the live images still work just not the dvd installer at this point on my older desktop with the DDR3 memory, my new pc has DDR5 memory and I has both intel 3D and nvidia card in it, this older desktop only have the nvidia, also my ASUS laptop only has a nvidia 3D card. I am not sure what happened to the DVD image if I download a bad image of it or if it’s connected with the Verifying shim SBOT, I was hoping I fixed it by using mokutil --set-sbat-policy delete, but that may not of fully fixed the problem.
I don’t have a copy of that iso, so I cannot test this. I presume it is no longer on the download site, replaced by a newer iso.
Notice the clear difference in the error message, compared with that in OP of this thread. I do get that message occasionally, but not while booting an iso. I get it if I install a kernel from the kernels repo but fail to enroll the related key.