Tails cannot start with Secure Boot enabled on systems that require shim SBAT level 5
Problem
Recent distros, that use shim 15.8 (released 2024-01-23) or newer, such as Debian sid, now require shim SBAT level 5. Same for recently upgraded Windows 11. This info is stored in the computer's UEFI revocation storage (or similar), so it impacts any OS that one tries to start on the same machine. In particular, Tails 6.5 includes a version of shim that complies only with SBAT level 4, so the firmware of computers that has already run a more recent distro, such as Debian sid, now refuse booting Tails 6.5:
Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation
This will be a recurring problem, every time a new security vulnerability makes distros bump the SBAT level required for shim or GRUB.
Possible solutions
The obvious solution is to upgrade shim-signed and other relevant packages in Tails:
- Debian plans to include updated
shim-signedin Bookworm 12.7 ( #20468 (closed)), late August. We would inherit this update in Tails 6.7, around September 10. - If we want to go faster, can these packages be installed as-is via APT pinning? This could allow us to ship a fix in Tails 6.6, around August 13.
But apparently, once we do this upgrade, be it via Debian Bookworm or faster, having booted an upgraded Tails on a given computer will prevent booting another OS, whose shim does not meet SBAT level 5, on the same machine: the SBAT level bump seems to be encoded in the firmware memory during boot. So it's pretty risky to ship the update before Debian Bookworm does. And even if we wait for Debian Bookworm 12.7, chances are that we will trigger this problem for users who did not upgrade their distro, or who run another distro that did not push the update yet.
So regardless of when & how exactly we ship the upgrade, we can be certain that "fixing Tails booting with Secure Boot on some systems" will result in "breaking other distros booting with Secure Boot on some systems after having started a new Tails". We should at the very least document the symptoms and a workaround.
Unsafe workarounds
- A. Disable Secure Boot until all operating systems that you want to boot on this computer have been updated to meet the maximum SBAT level required by any of these OS'es.
- How to do so differs a lot depending on the computer.
- B. https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_shim_in_old_Leap_image documents how to empty the revocation list.
- Slightly safer than A on the short term (some Secure Boot is better than none), but less safe on the mid-term (presumably these useful entries in the revocation list won't be re-added automatically).
- Requires a working Linux system and running commands in a terminal.
- Use
mokutil --set-sbat-policyfrom a running system to go back to a previous SBAT minimum level.- Does this need to be done manually every time one has booted 1 of the newer OS?
- Requires a working Linux system and running commands in a terminal.
Documentation
- In Support → Known Issues
- If you get the following error when starting Tails (applies to Windows and Linux users):
Verifying shim SBAT data failed: Security Policy ViolationSomething has gone serously wrong: SBAT self-check failed: Security Policy Violation- Then, do a manual upgrade to the latest Tails version.
- If you get this error when restarting on your main Linux OS after using Tails:
- Then, disable Secure Boot to be able to start your main Linux OS again.
- You can enable Secure Boot again after you main Linux OS has upgraded some obscure UEFI stuff.
- Command line instructions to check compatibility?
- This known issue can stay on the page indefinitely.
- If you get the following error when starting Tails (applies to Windows and Linux users):
- In the release notes for 6.7
- If you have another Linux as main OS:
- If you get the following error when starting your regular Linux OS after using Tails 6.7:
Verifying shim SBAT data failed: Security Policy ViolationSomething has gone seriously wrong: SBAT self-check failed: Security Policy Violation- Then, disable Secure Boot.
- If you don't want to disable Secure Boot or if you want to be extra careful:
- Then, check if your OS is compatible with SBAT 5 before upgrading to Tails 6.7
- Timeline of compatibility (best effort)
- Command line instructions to check compatibility?
- Then, check if your OS is compatible with SBAT 5 before upgrading to Tails 6.7
- If you get the following error when starting your regular Linux OS after using Tails 6.7:
- If you have another Linux as main OS:
Resources
- Discussion on the debian-boot list sums up the problem pretty nicely:
- SBAT details (intrigeri did not need to read this to write the above)
- Matthew Garrett's summary: https://mjg59.dreamwidth.org/70348.html