Ventoy Forums
KB5012170: Security update for Secure Boot DBX - Printable Version

+- Ventoy Forums (https://forums.ventoy.net)
+-- Forum: Ventoy General Use (https://forums.ventoy.net/forumdisplay.php?fid=1)
+--- Forum: Ventoy Discussion Forum (https://forums.ventoy.net/forumdisplay.php?fid=2)
+--- Thread: KB5012170: Security update for Secure Boot DBX (/showthread.php?tid=2149)

Pages: 1 2


KB5012170: Security update for Secure Boot DBX - Van Flusen - 08-11-2022

After Windows update KB5012170 (August 9, 2022), Ventoy can no longer be booted with Secure boot enabled.

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

KB5012170


RE: KB5012170: Security update for Secure Boot DBX - Steve2926 - 08-11-2022

Which versions of Ventoy are affected?


RE: KB5012170: Security update for Secure Boot DBX - Van Flusen - 08-11-2022

(08-11-2022, 06:25 PM)Steve2926 Wrote: Which versions of Ventoy are affected?
 1.0.79


RE: KB5012170: Security update for Secure Boot DBX - eyal - 09-02-2022

I think I see the same issue. very recently I am unable to boot a ventoy USB disk.
The machine is a windows 10, BIOS is set to UEFI secure boot. BIOS cannot be changed but I think it can be if I set a BIOS password?

I have two USB disks. One is 1.0.74 and the other is 1.0.79 (installed yesterday). Both open a screen which is mostly empty, black.
At the center there is a shield outline (with a lock inside) and below it says "Security Boot Fail". No other option, no key works.

Assuming this issue is related to a recent windows update, what is the status of this issue?
Is there a plan to enable ventoy to boot with secure boot enabled?


RE: KB5012170: Security update for Secure Boot DBX - Van Flusen - 09-03-2022

In the UEFI BIOS, you need to disable Secure Boot or clear the DBx database to remove the blacklist keys added by Windows Update.


RE: KB5012170: Security update for Secure Boot DBX - eyal - 09-03-2022

(09-03-2022, 06:04 AM)Van Flusen Wrote: In the UEFI BIOS, you need to disable Secure Boot or clear the DBx database to remove the blacklist keys added by Windows Update.
Is this a workaround while waiting for a proper update or a permanent solution? It is not described in the "About Secure Boot" doco where the old "enroll" instructions were removed.

I would rather not disable secure boot.
How do I clear a key in the DBx database (and which key should I disable)?

TIA


RE: KB5012170: Security update for Secure Boot DBX - Van Flusen - 09-03-2022

There is no official solution.
There may be a new hack in the future, but it will only work until Microsoft adds it back to the DBx Blacklist.
It remains a cat and mouse game.

Read:
https://forums.ventoy.net/showthread.php?tid=2163

https://rmprepusb.blogspot.com/2022/08/microsoft-just-made-secure-boot.html#more


RE: KB5012170: Security update for Secure Boot DBX - jiafei2427 - 09-16-2022

Clearing DBX is invalid.


RE: KB5012170: Security update for Secure Boot DBX - eyal - 09-18-2022

(09-16-2022, 02:04 PM)jiafei2427 Wrote: Clearing DBX is invalid.

Can you please elaborate on what 'is invalid' mean.


RE: KB5012170: Security update for Secure Boot DBX - nguyen ha thai trong - 09-18-2022

You need BIOS intervention like downgrade or reset BIOS to solve your problem