Boot fails with shim security policy violation

My boot fails with

Verifying shim SBAT data failed: Security policy violation 
Something went seriously wrong: SBAT self-test failed: Security Policy Violation

it started with motherboard replacement, currently only able to boot from livecd, secure boot is enabled

liveuser@localhost-live:~$ mokutil --sb-state
SecureBoot enabled

what i’ve tried:

  1. uninstalling nvidia drivers through mounting my disks and chroot’ing to them
  2. enrolling new following this guide Howto/Secure Boot - RPM Fusion ( also through chroot)

What else i should try or how to gather what causes the issue?

the only drivers i think may be causing it are nvidia and vmware-host-modules

At looks like your shim or grub2 is not up-to-date. Are you on Silverblue or similar system?

If you changed mobo maybe you are missing the fedoraca key.

$ sudo mokutil --list-enrolled
2bb010e24d fedoraca

https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html-single/UEFI_Secure_Boot_Guide/index.html#sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Keys

Maybe try disabling secureboot and reinstalling the shim packages

no, stable fedora 41

root@localhost-live:/home/liveuser# sudo mokutil --list-enrolled
2bb010e24d fedoraca
d84f167fe6 MSI
7f60cb16cd localhost-live_1736163017_ec6b226f

fedoraca key presents

Tried reinstalling it with secureboot disabled, now when im chosing fedora in boot menu I’m just getting back to boot menu(no matter secure boot is enabled or disabled)

Tried rebuilding boot partition following the guidance from this thread - Repair/Reinstall GRUB after Windows 11 Update (Dual Boot Fedora F39)

All with secure boot disabled.

And I been able to get into non visual grub console and try to boot following this guide - The GRUB2 Bootloader – Installation and Configuration :: Fedora Docs

But now I got the boot process stuck on loading nouveau

This key seems to have been generated on the live media and not on the running system.
Secure boot with fedora driver modules can only be used if the key is generated and imported into bios from the installed and running OS. The key pairs will exist in /etc/pki/akmods/certs and /etc/pki/akmods/private. I have never tried that with the chroot environment, but I know that the hostname for the live media will not match the hostname for the installed OS.

My suggestion

  1. disable secure boot
  2. remove that particular key from bios with mokutil. (use `man mokutil to guide doing this).
  3. boot to the main os, then set the hostname using hostnamectl.
  4. generate a new key pair with kmodgenca -f, import it and verify with the instructions in the file /usr/share/doc/akmods/README.secureboot (the key is identified with the hostname so step 3 seems necessary)
  5. recreate any drivers with akmods --force --rebuildto ensure they are signed with the new key
  6. reboot to verify everything now works.
  7. During a final reboot you could now enable secure boot and it should work

The SBAT data is inside the UEFI BIOS.

It would seem that your BIOS needs to be updated to make sure it has up to date and valid SBAT data.

Try updating the BIOS. If that does not work I suggest you talk to the vendor that replaced the board to see if they know what is wrong with SBAT.

SBAT is part of shim. See https://mjg59.dreamwidth.org/70348.html for details, for example

(An aside: the “Something has gone seriously wrong” message that’s associated with people having a bad time as a result of this update? That’s a message from shim, not any Microsoft code. Shim pays attention to SBAT updates in order to avoid violating the security assumptions made by other bootloaders on the system, so even though it was Microsoft that pushed the SBAT update, it’s the Linux bootloader that refuses to run old versions of grub as a result. This is absolutely working as intended)

The important part is that the shim compares the “sbat” strings in grub2 and check that against its known list of good versions, so it is important that you keep the shim and grub2 up-to-date.

So, here is what i did for now:

as @leigh123linux recommended tried reinstall shim packages with secure boot disabled

following @computersavvy suggestions removed keys that were created from livecd with chroot env, generated and enrolled new one and recreated drivers(currently there are none)

acc@fedora:~$ sudo mokutil --test-key /etc/pki/akmods/certs/public_key.der
/etc/pki/akmods/certs/public_key.der is already enrolled
acc@fedora:~$ sudo akmods --force --rebuild
No akmod packages found, nothing to do.                    [  OK  ]
acc@fedora:~$ mokutil --list-enrolled
7e68651d52 Fedora Secure Boot CA
deed1cdde9 akmods local signing CA

BIOS is updated to latest version, not sure what to discuss with the vendor, as windows keeps booting successfully, so more likely it’s not the board issue. btw it was official IBM service

I’ve just updated all packages(including shim* and grub2*).

Let me now enable the secure boot and try booting

1 Like

Found another article https://pupuweb.com/how-to-resolve-verifying-shim-sbat-data-failed-error-on-linux-dual-boot-system-due-to-security-policy-violation-after-kb5041585-update-installed/

The fix would be as given in this article

Step 1: Disable Secure Boot

  1. Restart your device and enter the firmware settings (BIOS/UEFI). This usually involves pressing F2, DEL, or ESC during startup.
  2. Locate the Secure Boot settings and disable them.

Check Microsoft’s official page or your manufacturer’s website for detailed instructions.

Step 2: Remove the SBAT Update in Linux

  1. Boot into Linux and open the terminal.
  2. Run: sudo mokutil –set-sbat-policy delete.
  3. Enter your root password when prompted.
  4. Restart your system.

Step 3: Verify SBAT Revocations

  1. In the terminal, run: mokutil –list-sbat-revocations.
  2. Make sure no revocations are listed.

Step 4: Re-enable Secure Boot

Re-enter firmware settings and turn Secure Boot back on.

Step 5: Check Secure Boot Status

  1. Boot into Linux and run: mokutil –sb-state in the terminal.
  2. Ensure the output reads “SecureBoot enabled.”

Step 6: Block Future SBAT Updates in Windows

  1. Boot into Windows.
  2. Open Command Prompt as an administrator.
  3. Run: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD.

The Fedora grub has been at or above the supported SBAT level for over 2 years.
That would imply the OP has a very old shim, or one from debian/ubuntu that did not update.

debian/ubuntu 100% never was installed or even booted from livecd, old version of shim also don’t think so as I reguraly did updates, but initially yes my installation was updated one by one since fedora 36 through years.

With secure boot enabled now I’m just seeing black screen instead of grub

Fixed by booting from live CD again and reinstalling grub2* and shim*, also did install Nvidia drivers and now with secure boot getting SBAT error again.

Will try following @computersavvy provided steps again

Before doing that, run mokutil --list-sbat-revocations. It should show

sbat,1,2023012900
shim,2
grub,3
grub.debian,4
sbat,1,2023012900
shim,2
grub,3
grub.debian,4

unfortunately no results with retrying everything again

could it be worth it to download the latest fedora ISO and copy the /boot/efi/* into my system?

Did you verify the result of mokutil --list-sbat-revocations? This is not clear from what you wrote.

Yes, I’ve pasted the output of this command, it’s same as yours