Ventoy icon indicating copy to clipboard operation
Ventoy copied to clipboard

Published 20 hours ago verified publisher icon ventoy

[Secure Boot] The Ventoy Machine Owner Key (MOK) is being reused for each individual install

Open turtureanu opened this issue 2 years ago • 2 comments

Official FAQ

  • [X] I have checked the official FAQ.

Ventoy Version

1.0.88

What about latest release

Yes. I have tried the latest release, but the bug still exist.

Try alternative boot mode

Yes. I have tried them, but the bug still exist.

BIOS Mode

UEFI Mode

Partition Style

MBR

Disk Capacity

64 GB

Disk Manufacturer

SanDisk

Image file checksum (if applicable)

N / A

Image file download link (if applicable)

N / A

What happened?

Each time Ventoy is installed to a drive with "Secure Boot Support", it copies over the same ENROLL_THIS_KEY_IN_MOKMANAGER.cer file. The MOK should be generated each time Ventoy is installed to a different drive (i.e. when it is not updated).

Enrolling the same MOK results in a possible physical security vulnerability; an attacker can simply install Ventoy to their own USB drive and thereby bypass secure boot.

turtureanu avatar Jan 22 '23 13:01 turtureanu

me too, My computer is Dell XPS 9510

mydrycn avatar Feb 17 '23 16:02 mydrycn

Temporary workaround: Administrators should always set a BIOS password and make sure the boot order never prioritizes an external drive over the main internal boot drive. This should be standard practice everywhere.

Not saying you are wrong though. MOK's have flawed security regardless. See --> https://informatika.stei.itb.ac.id/~rinaldi.munir/Kriptografi/2020-2021/Makalah-UAS/Makalah-UAS-Kripto-2020%20(53).pdf - Social engineering can still greatly compromise a system that has a randomized MOK anyways, so you should still have stronger practices in place to prevent this.

birdybro avatar Jan 03 '24 16:01 birdybro