rEFInd and mokutil set-sbat-policy fix for "self test failed"

[Craig Felix]

Another victim here of MS induced secure boot error plaguing dual boot WIndows/Linux deskotps. The internet quick fix seems to be running mokutil --set-sbat-policy delete followed by a reboot to implement the change. Is this likely to work in the rEFInd environment? In my case, I have installed rEFInd on a USB drive using refind-install with the usedefault option. The shim version I used matches /usr/lib/shim/shimx64.efi.signed.latest in size (960472). The .previous version in the same directory is smaller (955656)

Before I found out that this error was not "just me", I thought maybe my USB was corrupted so I made a few attempts to reformat it and reinstall rEFInd, but of course, no success. I even deleted the rEFInd MOK thinking that was the problem, but no. I now assume that since I could only get ubuntu to run with Secure Boot turned off that refind-install wasn't going to set up Secure Boot without it being active. I'm hoping the set-sbat-policy command will get ubuntu booting in Secure Boot again and I can then reinstall rEFInd back on the USB drive.

Please advise if this is likely to just make things worse.

[Craig Felix]

Just saw a post by Ubuntu Discourse from 8/22 that there is a patch coming on 8/29 to update shim to v15.8. I think I can just carry on with Secure Boot turned off, then proceed with rEFInd "re"install after the shim update. There was a question there about the impact of using the mokutil --set-sbat-policy delete as a work-around but no response so far.

[Craig Felix]

Just to acknowledge that the shim v15.8 update for Ubuntu worked well and I got rEFInd installed to a USB drive on the first try. Hopefully MS and the linux distros get on the same page the next time MS wants to improve Secure boot.