Ventoy icon indicating copy to clipboard operation
Ventoy copied to clipboard

Published 20 hours ago verified publisher icon ventoy

[issue]: Secure Boot: Your shim isn't properly signed.

Open Arcitec opened this issue 3 years ago • 9 comments

Official FAQ

  • [X] I have checked the official FAQ.

Ventoy Version

1.0.61

What about latest release

Yes. I have tried the latest release, but the bug still exist. I have also done a clean reinstall of Ventoy (GPT + Secure Boot enabled).

BIOS Mode

UEFI Mode

Partition Style

GPT

Disk Capacity

32GB

Disk Manufacturer

No response

Image file checksum (if applicable)

No response

Image file download link (if applicable)

No response

What happened?

The VTOYEFI partition contains EFI\BOOT\BOOTX64.efi which is apparently from Fedora and is supposed to be properly signed.

It isn't.

The UEFI firmware refuses to boot the file, saying it has an invalid signature.

I then SUCCESSFULLY PROVED that it has an invalid signature.

I copied the openSUSE shim which comes directly from Microsoft. It is around 900kb. The shim you are using is 1.3mb (it has clearly been modified).

When I replaced the shim EFI file with the Microsoft shim from openSUSE, Ventoy began booting successfully.

Here is a thread where another user describes the exact error message due to Ventoy's invalid shim EFI file:

https://forums.ventoy.net/showthread.php?tid=1801&page=2

The broken shim will need fixing/replacing in Ventoy.

Arcitec avatar Nov 15 '21 02:11 Arcitec

You can make an issue here: https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk

ventoy avatar Nov 15 '21 04:11 ventoy

Can you supply screenshot of the error message or all and exact words displayed?

steve6375 avatar Nov 15 '21 09:11 steve6375

I'm having the same issue. @Bananaman would you like to share the details where to get a working EFI file and how to replace it?

Edit: After reinstalling Ventoy and trying again I got the MOK management tool where I could enroll the key. No idea where it went wrong the first time.

Fingrprnt avatar Nov 25 '21 19:11 Fingrprnt

@ventoy The issue is due to Microsoft revocation of UEFI CA certificate by a windows update, and some motherboards are coming out of the box with this certificate already in the revocation list, so the shim v13 is rejected. It is recommended to update shim to a newer version taken with patches from a recent linux distro such as Ubuntu or OpenSuse.

https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/issues/15

https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

rwasef1830 avatar May 07 '22 07:05 rwasef1830

@rwasef1830 Thanks a lot for that research!

@ventoy I see that you've already updated Ventoy to the new UEFI boot https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/releases/tag/3-3

I will install https://github.com/ventoy/Ventoy/releases/tag/v1.0.76 on a USB stick and test it now! Hopefully this ticket will be closed after testing! :)

Arcitec avatar Jun 12 '22 23:06 Arcitec

@ventoy Hmm, I thought I had sent a message earlier with the results in June, which were not good. I spent days there, trying signed secure boot shims/files from openSUSE and Fedora in Ventoy with varying improvements. I was able to get further in the boot by replacing shims, and the BIOS accepted the signature when I had replaced the shim, but I was still never able to make the Ventoy menu appear, which I (at the time) assumed to be some result of incorrectly configured chainloader file paths in the replacement shims I used. I still never managed to solve that completely. I also tried resetting CMOS (BIOS settings) multiple times to no avail, and tried resetting/re-enrolling the default SecureBoot keys from the motherboard manufacturer multiple times, but that didn't fix Ventoy either.

The funny thing at the time is that I WAS able to boot the actual distros the various signed shims came from. The problems with booting only happened when using Valdik's secureboot (Ventoy) instead of a distro.

I did so much research, and have a list of related tickets here:

  • https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/issues/15
  • https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/issues/11
  • https://github.com/ventoy/Ventoy/issues/1666

Now for the amazing news: I have solved it!

It's related to old versions of AGESA ComboAm4Pi/ComboAm4v2Pi on AMD motherboards. That's the name of AMD's universal BIOS. The version that shipped on my motherboard always refused to boot Ventoy, specifically.

I updated to the latest EFI BIOS for my MSI X570 Unify yesterday, and immediately Ventoy works in Secure Boot mode.

This proves that some motherboards have either outdated EFI signing keys or outdated algorithms for checking the signatures of the chainloaded components, which could explain why the signing keys for Ventoy are invalid even though the shim itself is properly signed (and shim works with the old BIOS if only used for the distro it came from).

This means that my final advice for everyone having issues is:

  • Update to your latest BIOS if Ventoy fails in Secure Boot mode.
  • Update the Ventoy wiki page and mention that users may need BIOS updates if they see signature failures for Ventoy, and that they MAY ALSO need to set their BIOS Secure Boot mode to an option labeled something like "allow custom key enrollment" (otherwise the BIOS will only accept its own built-in Microsoft Secure Boot keys): https://www.ventoy.net/en/doc_secure.html

This has been a long journey. I will give you the honors of closing this ticket and adding the small note to the wiki.

Thank you everyone who helped researching this difficult issue! Thank you Ventoy creators for an amazingly helpful program! :heart:

Arcitec avatar Dec 28 '22 17:12 Arcitec

Here's some extra confirmation since someone asked me. I booted the newest Ventoy 1.0.86 in Secure Boot mode, effortlessly:

https://github.com/ventoy/Ventoy/issues/1666#issuecomment-1368012816

Arcitec avatar Dec 30 '22 17:12 Arcitec

Updating to a later bios does not prove anything because the update process may also change the bios settings. To prove it, you would need to flash on the old bios and show that the original problem returns

steve6375 avatar Dec 31 '22 07:12 steve6375

To prove it, you would need to flash on the old bios and show that the original problem returns

That's exactly what I did. I flashed probably 12 times with different old BIOS that all failed to boot Ventoy. I also did tons of BIOS resets and re-added default secureboot keys so many times. I even forcibly tried to use mokutil to force-add the Ventoy key while inside a Linux live USB, to add it to my BIOS manually. That didn't work either.

As soon as I went to the newest BIOS, Ventoy's secure boot signature is now accepted immediately without any tweaking required, and works properly.

Arcitec avatar Jan 20 '23 05:01 Arcitec

To prove it, you would need to flash on the old bios and show that the original problem returns

That's exactly what I did. I flashed probably 12 times with different old BIOS that all failed to boot Ventoy. I also did tons of BIOS resets and re-added default secureboot keys so many times. I even forcibly tried to use mokutil to force-add the Ventoy key while inside a Linux live USB, to add it to my BIOS manually. That didn't work either.

As soon as I went to the newest BIOS, Ventoy's secure boot signature is now accepted immediately without any tweaking required, and works properly.

I was able to do the mok key sign and installed Debian 12 successfully but when it asked to reboot, it went to grub then I booted the os but it showed some "[somenumber] blacklisted - Problem blacklisting hash - error code -13" or something like that. Note: I am using msi B550 pro vdh wifi motherboard and have forbidden Debian and ubuntu shim signatures as shown in the video above. Any idea what could help me?

ayush-porwal avatar Jul 19 '23 09:07 ayush-porwal