Hi guys,
I have just experienced the infamous
Verifying shim SBAT data failed: Security Policy Violation
Something has gone serously wrong: SBAT self-check failed: Security Policy Violation
boot error.
I wanted to write down my case, so if anyone has a similar situation, could get their system fixed.
In my case there was no Leap 15.x involved, I had only Tumbleweed on my system.
What I did was running an existing Tumbleweed install from an external hard drive, with Secure Boot on, without problems.
But later on decided to move this install to a new SSD that was placed inside the machine, inside a free slot.
I moved the partitions using Clonezilla, then I booted into openSUSE Recue from a stick and chrooted into the new install to regenerate the initrd
using dracut
.
I still could not use secure boot at this stage, but I could boot if secure boot was in audit mode
or off
.
I have followed several forum threads and these instructions:
https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_shim_in_old_Leap_image
But somehow nothing seemed to be working.
Following the article above, I tried several times to delete
the SBAT policy, or load the previous
policy, or reset
everything, nothing worked.
Until I noticed the shim
version difference between Leap and Tumbleweed. My brain somehow ignored everything that was related to Leap, as I had no Leap involved in my setup.
I checked the version of shim
under Tumbleweed, and it is still 15.4
a version which will not help with any policy deletion.
So I downloaded a Live Leap 15.6, which has a newer shim
version, which is needed for any policy deletion.
As it seems, it was enough to only boot into the live system and the SBAT policy was deleted/reset.
Previously I had something like:
localhost:~ # mokutil --list-sbat-revocations
sbat,1,2023010900
shim,2
grub,3
And when booted into Leap 15.6 Live, it changed into:
localhost:~ # mokutil --list-sbat-revocations
sbat,1,2021030218
I rebooted into the internal Tumbleweed and everything was the same, so I rebooted into BIOS and enabled Secure Boot and the Security Policy Violation
was not there anymore, Tumbleweed booted without problems.
I am not sure if this will happen again in the future, but I’ll keep the Live Leap stick at hand, just in case.
I really hope shim
will get an update on Tumbleweed soon, I’m not sure about the difficulty of this update, but it is strange to have everything on the bleeding edge with Tumbleweed and then have something with so much potential to cause disruptions like shim
stuck at a problematic version.
Any advice for the future is welcome