Windows update paralyzes Linuxes again
With the Windows updates from August 13, various Linux installation media no longer boot. This is due to outdated boot loaders that have now been blocked.
Windows Update once again locks out some Linux boot loaders.
(Image: Erzeugt mit Stable Diffusion durch heise online)
And the Windows update greets us daily: Some Windows computers on which the update released on August 13 was installed no longer start the installation media and live systems of some Linux distributions. According to our research, the current Ubuntu 24.04 LTS and live systems based on it, such as Desinfec't, are also affected.
As with previous Windows updates that prevented Linuxes from booting, the causes are outdated Linux bootloaders that have been known to be insecure for some time. While in previous updates it was blacklist entries in the Secure Boot DBX database that slowed down the Linux bootloaders, Microsoft has retrofitted the Secure Boot Advanced Targeting (SBAT) developed by the open-source community with the update (KB5041571) and KB5041580) for Windows 10 and 11. This is intended to solve the memory problem in the BIOS of some mainboards, which only offer limited space for the DBX database with signatures of vulnerable bootloaders.
SBAT instead of DBX database
While with the DBX entries the UEFI BIOS refuses to boot a bootloader that is recognized as insecure, with SBAT it is the Linux bootloaders Shim and Grub that recognize that secure boot is no longer guaranteed and therefore fail to work. Optimizations should also ensure that SBAT blacklists remain as small as possible. However, this does not eliminate the dependency on Microsoft to have the Linux bootloader Shim certified and signed for Secure Boot again and again: Secure Boot will still only start signed bootloaders from a trustworthy source - and for almost all hardware manufacturers this is still only Microsoft. However, as these bootloaders can now be disabled via SBAT if they prove to be faulty, no new entry needs to be added to the DBX blacklist.
It is still unclear which systems and distributions are affected by the recent boot problems. Microsoft states in the knowledge base entry that the update "does not apply to systems that dual boot Windows and Linux." However, there are already reports that the update should also prevent Linux sticks from booting on systems with parallel installations. On other systems, our own tests show that Ubuntu 24.04 LTS continues to boot without any problems. Linux systems already installed on a hard disk or SSD, on which the latest updates have been installed, will continue to boot in any case.
Waiting for new images
To solve the problem of outdated boot loaders, the distributors concerned will once again have to update their installation media, which is likely to take a few days. Alternatively, you can deactivate Secure Boot on your computer – but only if you have written down or printed out the Bitlocker recovery key beforehand. This is because encrypted Windows installations sometimes react allergically to changes to Secure Boot and then require you to enter the key the next time they are started.
(mid)
