Urgent Help Needed: Clonezilla Boot Failure - "SBAT Data Failed: Security...
A partition and disk imaging/cloning program
Brought to you by:
steven_shiau
Menu
▾
▴
Hello everyone,
I'm in urgent need of assistance with a critical issue I'm facing while trying to boot from my Clonezilla USB. I've been using this USB without any problems for backups, but today, when I really need to create a backup, my computer fails to boot from the USB and displays the following error message:
"Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation"
Immediately after this message appears, the computer shuts down completely. This is the first time I've encountered this error, and I'm unsure what could be causing it.
Here’s some additional context:
Has anyone else experienced this issue, or does anyone know how to resolve it? I would really appreciate any advice or troubleshooting steps.
Thanks in advance for your help!
I thought I was the only one having this problem.
This is the fault of the 'shim' packages from the 'sid' branch.
They increase the shim numbers unnecessarily and that is why older versions of shim cannot start and print "Verifying shim SBAT data failed: Security Policy Violation".
I think these four 'sid' shim packages were too hastily included in Clonezilla and are breaking other shims.
Take a look:
https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_shim_in_old_Leap_image
To summarize:
1. You need to disable Secure Boot.
2. Boot the system with the latest shim that broke it (here: clonezilla)
3. As root, issue the command:
mokutil --set-sbat-policy delete
4. Restart your computer to the same system that caused the crash (step 2).
5. Turn off your computer, turn on Secure Boot and you should be fine.
Use Clonezilla ver. to create images. 3.1.2-26, which contains shim packages from current testing and does not break systems.
To the creators of Clonezilla:
it would be good to restore shim packages from testing until Debian sorts this out.
Regards
Last edit: ZL 2024-08-20
Thank you for the prompt response.
If I create a fresh USB bootable with the latest version of Clonezilla, will that resolve the issue, or will I still need to follow the steps you’ve outlined?
I’m not very familiar with what a shim is or its connection to the SID branch. However, I’ve tested my USB on both of my PCs at home, and the error occurs on both, causing them to shut down.
If I follow these steps on one machine to fix the USB bootable, will that be sufficient to resolve the issue?
I’m also concerned whether there’s any sort of countdown or limitation with this fix, or will it provide a permanent solution?
I followed above steps:
Disable Secure Boot > Booted the CZ USB > Entered a shell in Clonezilla > Ran the above command from step 3 > Rebooted in BIOS > Re-Enabled Secure Boot.. Attempted to boot the CZ USB and same error.
I'll download the latest version....
Since I wrote the previous post in a hurry, here are some details.
Point 1.
shim packages in Debian Testing:
shim-helpers-amd64-signed 1+15.7+1
shim-signed:amd64 1.40+15.7-1
shim-signed-common 1.40+15.7-1
shim-unsigned 15.7-1
Point 2.
shim packages in Debian sid (these versions break older ones):
shim-helpers-amd64-signed 1+15.8+1
shim-signed:amd64 1.44+15.8-1
shim-signed-common 1.44+15.8-1
shim-unsigned:amd64 15.8-1
Point 3.
Clonezilla versions (according to the file on the CD: /live/filesystem.packages):
3.1.2-23-amd64 – contains shim from testing
3.1.3-15-amd64 – contains shim from sid
Versions between 3.1.2-26-amd64 and 3.1.3-10-amd64 contain packages
shim-helpers-amd64-signed 1+15.8+1
shim-signed:amd64 1.40+15.7-1
shim-signed-common 1.40+15.7-1
shim-unsigned:amd64 15.8-1
They may be harmless – if I'm not mistaken.
The safe version is stable 3.1.2-22-amd64.
Point 4.
By changing numbers I mean the numbers shown by the command:
mokutil --list-sbat-revocations
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
Point 5.
@KC, your questions:
5.1.
If I create a fresh USB bootable with the latest version of Clonezilla, will that resolve the issue, or will I still need to follow the steps you’ve outlined?
As long as there is a shim from sid, in my opinion the problem will still occur.
5.2.
On the systems installed on your computers you have an "old" shim, and the new Clonzilla has a shim from sid.
5.3
You won't fix anything on a USB drive with the latest Clonezilla because the shim is in the filesystem.squashfs file.
Look at the files on the Clonezilla CD/USB stick.
5.4.
The idea is that for safety, the shim should increase the numbers every so often (see point 4 – sbat, shim, grub etc.).
There is no problem with this if you only boot one system from the computer (and of course update the shim).
But there is a problem if you boot different systems on the same computer, e.g. from systems installed on USB.
Then the one with the newest shim will increase the numbers (see point 4) and your previous system will not boot.
This happened to me for the first time when I updated Debian installed (as on a hard drive) on a USB stick to sid.
Last edit: ZL 2024-08-20
@KC
You need to boot twice using the latest shim version (the one that broke this, no need to download anything new):
Last edit: ZL 2024-08-20
I'm really confused right now and might have to ditch Clonezilla for a different product entirely and make fresh backsups whilst I can. I can't get over this!
I don’t get what’s happening, and it’s making a stressful situation even worse. I know you’re trying to help, but I’m even more lost. If my system were to go down and I needed to restore it, I'd be in serious trouble. I desperately need to make a backup before making critical changes, but I'm stumped.
I downloaded the latest version and like you suggested, it didn’t work. I’m a total novice and don’t know what to do. This is a complete nightmare for someone like me.
What a bloody nightmare this is!!!!!!
I'm still confused- also whatever the old version of Clonezilla was has now been expunged. I only have one USB drive which I use for CZ and I've replaced the old version with 3.1.2-9. I'm going to take a walk to calm down since this has really stressed me out!
I've been using Clonezilla for years and never had any issues like this.
I understand you.
Universal advice: don't panic, take a break to cool down.
In Linux, everything can be fixed.
I was helpless, too, when I saw a black screen with this sign and my computer shut down after a few seconds.
The only thing to do then is to disable Secure Boot.
You can always boot with Secure Boot disabled - Linux will boot correctly.
I don't know what effect this has on Winows 10/11.
Besides, you are not alone - the developers of Clonezilla are smarter than the two of us and will surely come up with something.
Regards
I'm still having trouble with this issue despite following all the advice given.
Honestly, I'm finding it really hard to understand all this SHIM and SBAT stuff. Can anyone just tell me if there’s a specific version of Clonezilla that actually works without these problems? Also, based on what ZL mentioned, is the issue happening because I used the same Clonezilla USB on two different computers?
I really need to get this sorted. If my system fails, I need to know that I can restore it properly. Would disabling Secure Boot allow me to restore my image without any issues, or could that cause more problems? For reference, I’m running the latest version of Windows 11 on both my PCs.
ZL also mentioned, "You need to boot twice using the latest shim version (the one that broke this, no need to download anything new)." I don’t understand why I need to boot twice. I’ve followed the steps: ran the mokutil command, rebooted, re-enabled Secure Boot, and yet the problem is still there, computer will switch off, even with the latest version.
ZL It sounds like you’ve managed to fix it your end because you know exactly what you’re doing, but for someone like me, this is really confusing. I’ve followed the instructions, but I’m still stuck, and to be honest, I’m really annoyed. It’s also frustrating that none of the developers have acknowledged this issue here or offered any help. It’s really disappointing!
I even installed 3.1.2-22amd64 and that don't work either!
I'm super pissed off right now!
I was able to successfully download and boot Clonezilla version clonezilla-live-3.1.3-16-amd64. I'm not sure why this specific version worked, but I wanted to share the update.
My main question is - is there a limit to how many times I can use this version between my two machines before that "dreaded error" comes back?
Let's clarify the description.
Are we understanding each other correctly?
I understand your problem like this:
1) There is a computer with a Linux system (+ Windows) running on the hard drive in the computer. Everything is fine.
2) One day you insert a USB stick with another Linux system (in this case it is Clonzilla) into the USB. You start this computer from this USB stick. Everything is fine.
3) You finish working with the system on USB. You turn off the computer. You disconnect the USB stick from the computer and put it in a drawer.
4) Now you start the computer - the system from the hard drive. But during startup, after a short display of the "Del", "F12" (or similar) keys, the screen goes black and before you can read the inscription:
"Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation" the computer turns off and you can't do anything more. It takes literally a dozen or so seconds.
5) The only thing you can do is enter the BIOS ("Del") and disable Secure Boot, which will cause the system to boot from the hard drive.
That's how I understand the problem you're describing.
Last edit: ZL 2024-08-21
No Linux system .. just windows 11 on two seperate PC's ... Clonezilla lives on a bootable USB.. Both PC's are backed up randomly.. If a PC was to die, clonezilla USB to the rescue and restore latest image..
The only Linux system here is the USB itself which houses Clonezilla is my understanding.
Anwyay dude, the latest version worked for sure with secure boot enabled..
Too bad, "dude", that you didn't specify at the beginning that you only use Windows.
My mistake was assuming without asking that you use Linux.
Now it turns out that most of my writing is unnecessary.
Windows (in my opinion) probably approaches this issue differently.
Good luck.
I wouldn't say unnecessary you provided useful relevant information...