Bootloading Ubuntu 24.04 ISO error SBAT data failed: Security Policy Violation without removing SBAT policy and disabling Secure Boot

Question

I'm trying to install Ubuntu 24.04 (latest ISO from official website). I made bootable USB (UEFI) GPT - tried rufus and Ventoy. But when I load from USB with UEFI and Secure Boot on allowed 3rd party certificates (not only Microsoft) I get an error on boot saying: Verifying shim SBAT data failed: Security Policy Violation.

Microsoft says in latest update:

This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.

Of course, I'm not currently on dual-boot system, so I run only Windows and this update was applied. It says this update will stop vulnerable Linux EFI (Shim bootloaders) from running. But I don't understand how Ubuntu didn't know their bootloader in latest ISO is vulnerable! Also they say If this occurs, work with your Linux vendor to get an updated ISO image. But I don't know how to get support from Ubuntu vendor about their vulnerable ISO and get updated version so I'm here.

I do not want to remove SBAT policy because if it was set then it is needed by security update.

Verifying shim SBAT data failed: Security Policy Violation does not answer to my question because the answer is to remove SBAT policy or disable Secure Boot that I do not want to do!

Is there newer installer media without this error?

Answer 1

I think your question is easy to answer:

1. As its version number indicates, Ubuntu 24.04 was released in April 2024.
2. The Microsoft update you appear to be talking about (KB5041160) was released in August 2024.

We should therefore assume that if a Windows update from August 2024 talks about fixing a Secure Boot vulnerability in the UEFI Shim, it is likely to apply to the UEFI Shim used in an ISO that was released 4 months prior, such as the one used in the Ubuntu 24.04 ISO.

Now, Ubuntu does tend to produce refreshes of major releases, where they update the software (and can update bootloaders as well), which they will suffix with a .1, .2 etc. The24.04.1 refresh is currently scheduled for 29 August 2024, so the 24.04 ISO you are using is still the April 2024 one, which most likely uses a Shim that has not been patched for the vulnerability that the Microsoft August update is trying to address (and therefore prevents vulnerable Shim bootloaders to run through SBAT).

And, as you mention, since you do not run a dual boot installation, the update did install the SBAT update on your system, thereby most likely preventing any Shim based Linux boot media, that uses a pre 2024.08 Shim, from booting.