Ventoy Forums
Questions regarding Secure Boot support. How to un-enrolled the key? - Printable Version

+- Ventoy Forums (https://forums.ventoy.net)
+-- Forum: Ventoy General Use (https://forums.ventoy.net/forumdisplay.php?fid=1)
+--- Forum: Ventoy Discussion Forum (https://forums.ventoy.net/forumdisplay.php?fid=2)
+--- Thread: Questions regarding Secure Boot support. How to un-enrolled the key? (/showthread.php?tid=1488)



Questions regarding Secure Boot support. How to un-enrolled the key? - m.fessler - 12-23-2020

Hello everybody,

first of all, thank you very much for this great tool!
I have a few questions about Secure Boot support - maybe someone can help me:

If I understand correctly, the "enrolled" key is saved in the EFI.
How can this be reversed?
I have reset the keys and all settings to default in the BIOS and even reflashed the BIOS - but the key remained.
With a Live Linux and mokutil --delete or --reset with subsequent confirmation in the "MOK Manager" worked - is that the right way?
An option for this in Ventoy might come in handy.

A Ventoy Stick with Secure Boot support also works perfectly on a device without (or with deactivated) Secure Boot.
Why then Secure Boot support is optional at all and not always automatically activated?

How do other Live CDs such as PartedMagic does this?
These boot with Secure Boot without having to import a key.

Thanks and happy holidays!
Martin


RE: Questions regarding Secure Boot support. How to un-enrolled the key? - Steve2926 - 12-29-2020

If Secure Boot is enabled in the UEFI BIOS, then only files which have been signed by Microsoft are valid and will run.
A UEFI BIOS can contain a 'whitelist' (DB) and a 'blacklist' (DBx) of keys.
Mok Manager will add the key for the Ventoy EFI boot file into the DB database (keys are usually stored in EEPROM flash memory on the motherboard).
Flashing the BIOS can also clear the stored keys but usually you have to specify an extra command line option (depends on the flash utility) - otherwise if you flashed a new BIOS you would lose all your keys and the operating system might not Secure Boot afterwards.
To get any UEFI boot file signed by Microsoft costs many $1000's.
The PartedMagic developers paid the $ to MS which is probably why PartedMagic is no longer free.


RE: Questions regarding Secure Boot support. How to un-enrolled the key? - ValdikSS - 01-03-2021

(12-23-2020, 05:19 AM)m.fessler Wrote: With a Live Linux and mokutil --delete or --reset with subsequent confirmation in the "MOK Manager" worked - is that the right way?

Yes, this is one of the methods.
You can remove the key from UEFI with KeyTool.efi (efitools Linux package). https://archlinux.org/packages/extra/x86_64/efitools/download/