Arthur T Knackerbracket has processed the following story:
Microsoft's Patch Tuesday for August 2024 includes a fix for a security vulnerability in the Grub2 boot loader, which is used by many Linux operating systems. Tracked as CVE-2022-2601, this flaw, discovered in 2022, could lead to an out-of-bounds write with a potential bypass of Secure Boot protection.
The Grub2 boot loader provides compatibility with the Secure Boot technology on PCs running Linux systems. After installing the new patch, Windows applies a Secure Boot Advanced Targeting (SBAT) policy to block vulnerable Linux boot loaders that could compromise OS security.
Microsoft explained that the SBAT value would not be applied to dual-boot systems with both Windows and Linux on the boot drive, so the patch was expected not to impact these systems. However, many users with dual-boot configurations have reported that the CVE-2022-2601 update still rendered booting into a Linux OS impossible.
The issue appears to affect various Linux distributions, including popular ones such as Ubuntu, Linux Mint, Zorin OS, Puppy Linux, and others. Affected systems typically display a "Security Policy Violation" error at boot, indicating a failed check on "shim SBAT data." Boot problems have been reported on both dual-boot systems and on Windows devices running Linux from an ISO image, USB drive, or optical media.
Microsoft's bulletin noted that only older Linux distros' ISOs were expected to experience boot issues following the CVE-2022-2601 patch. However, users with systems released in 2024 also seem to be affected. The only reliable way to restore a bootable state appears to be disabling Secure Boot entirely. Alternatively, users can follow the steps to remove the SBAT policy introduced by Microsoft this past week.
(Score: 4, Interesting) by digitalaudiorock on Friday August 23, @12:28PM (1 child)
...and while you're at it, do yourself a favor and don't use Grub either. On my AMD system with EFI I use rEFInd [rodsbooks.com], which is just awesome, and on my older BIOS systems I use SYSLINUX [syslinux.org]. If you want the sane simplicity Grub used to have in version 1 there are options.
(Score: 3, Interesting) by digitalaudiorock on Friday August 23, @04:35PM
Just to elaborate a little on that rEFInd, which I found out about from a recommendation on the Gentoo forums: When I compile a new kernel and do the "make install", that's it...I'm done. rEFInd needs no change and simply sees all the kernels under /boot, defaulting to the newest one. Just awesome...can't say enough about it.