Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 Ventoy enroll key manager not working in new Dell laptops that use SecureBoot
#21
(10-13-2024, 08:19 AM)asheroto Wrote: See possible shim workaround by a contributor. Others are reporting this works for now.

https://github.com/ventoy/Ventoy/issues/...2362323248

I also tried it and it works for me too.  I had a bunch of brand new DELL Pcs come in a few weeks ago, Ventoy did NOT work when Secure Boot was enabled.  I could disable it, then it would run. My company requires Secure Boot be on for all PCs.  

Some ELI5 instructions for anyone who may be confused: 
I downloaded the ZIP file from the github link https://github.com/user-attachments/file...img.xz.zip 

I replaced the file ventoy.disk.img.xz in my ventoy-1.0.99 Install folder in the ventoy subfolder overwriting the version that was here. 

With your Ventoy stick mounted, from the root of the Ventoy install folder run Ventoy2Disk.exe, choose the UPDATE button, which even though it's the same version will NON destructively update it with the contents of the new ventoy.disk.img.xz you placed in the Ventoy install  folder.

Your stick should now work when the PC is using Secure Boot, you will still have to enroll the ID just as you did before back when the OLD shim still worked and reboot.  The ID will be good from there on out ON THAT MACHINE, and will be good for ANY Ventoy stick (as long as it has this updated shim) drive.

I tested this out 'scientifically'.

I used my unmodified Ventoy drive on a new PC that has Secure Boot running on it, it would previously not run it The results were the same, it produces a security error and does not boot to the Ventoy menu.

I updated the stick using the new shim file and went to the SAME PC and booted to the Ventoy stick.  It now booted to the Ventoy screen that asks that you enroll the ID key, you do so, then reboot and boot back to the stick, it now works just fine.
Reply
#22
(10-16-2024, 02:58 PM)Rootman Wrote:
(10-13-2024, 08:19 AM)asheroto Wrote: See possible shim workaround by a contributor. Others are reporting this works for now.

https://github.com/ventoy/Ventoy/issues/...2362323248

I also tried it and it works for me too.  I had a bunch of brand new DELL Pcs come in a few weeks ago, Ventoy did NOT work when Secure Boot was enabled.  I could disable it, then it would run. My company requires Secure Boot be on for all PCs.  

Some ELI5 instructions for anyone who may be confused: 
I downloaded the ZIP file from the github link https://github.com/user-attachments/file...img.xz.zip 

I replaced the file ventoy.disk.img.xz in my ventoy-1.0.99 Install folder in the ventoy subfolder overwriting the version that was here. 

With your Ventoy stick mounted, from the root of the Ventoy install folder run Ventoy2Disk.exe, choose the UPDATE button, which even though it's the same version will NON destructively update it with the contents of the new ventoy.disk.img.xz you placed in the Ventoy install  folder.

Your stick should now work when the PC is using Secure Boot, you will still have to enroll the ID just as you did before back when the OLD shim still worked and reboot.  The ID will be good from there on out ON THAT MACHINE, and will be good for ANY Ventoy stick (as long as it has this updated shim) drive.

I tested this out 'scientifically'.

I used my unmodified Ventoy drive on a new PC that has Secure Boot running on it, it would previously not run it The results were the same, it produces a security error and does not boot to the Ventoy menu.

I updated the stick using the new shim file and went to the SAME PC and booted to the Ventoy stick.  It now booted to the Ventoy screen that asks that you enroll the ID key, you do so, then reboot and boot back to the stick, it now works just fine.

This solution will also only work for a short time:

The enforcement phase of the Secure Boot changes related to CVE-2023-24932 will start in a few weeks.

The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices.
These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

https://support.microsoft.com/en-gb/topi...ion5025885
Reply
#23
(10-16-2024, 02:58 PM)Rootman Wrote:
(10-13-2024, 08:19 AM)asheroto Wrote: See possible shim workaround by a contributor. Others are reporting this works for now.

https://github.com/ventoy/Ventoy/issues/...2362323248

I also tried it and it works for me too.  I had a bunch of brand new DELL Pcs come in a few weeks ago, Ventoy did NOT work when Secure Boot was enabled.  I could disable it, then it would run. My company requires Secure Boot be on for all PCs.  

Some ELI5 instructions for anyone who may be confused: 
I downloaded the ZIP file from the github link https://github.com/user-attachments/file...img.xz.zip 

I replaced the file ventoy.disk.img.xz in my ventoy-1.0.99 Install folder in the ventoy subfolder overwriting the version that was here. 

With your Ventoy stick mounted, from the root of the Ventoy install folder run Ventoy2Disk.exe, choose the UPDATE button, which even though it's the same version will NON destructively update it with the contents of the new ventoy.disk.img.xz you placed in the Ventoy install  folder.

Your stick should now work when the PC is using Secure Boot, you will still have to enroll the ID just as you did before back when the OLD shim still worked and reboot.  The ID will be good from there on out ON THAT MACHINE, and will be good for ANY Ventoy stick (as long as it has this updated shim) drive.

I tested this out 'scientifically'.

I used my unmodified Ventoy drive on a new PC that has Secure Boot running on it, it would previously not run it The results were the same, it produces a security error and does not boot to the Ventoy menu.

I updated the stick using the new shim file and went to the SAME PC and booted to the Ventoy stick.  It now booted to the Ventoy screen that asks that you enroll the ID key, you do so, then reboot and boot back to the stick, it now works just fine.



Thanks rootman, I for one was having the difficulties you surmised with following the information in the thread. Your simplified instructions however worked for me and I could now boot two separate USB/SSD sticks by replacing the ventoy.disk.img.xz file in my ventoy-1.0.99 install folder and with Secure Boot ON.

I could use Ventoy to boot with both sticks in to Segei Strelec Win PE ISO. BUT interestingly, while I could use Acronis True Image from INSIDE SS-WinPE, I could NOT get in to Acronis using a separate Acronis ISO. That is, Ventoy booted up just fine to the usual menu, but on trying to go from there to get in to (a separate) Acronis ISO (which I have on said sticks along with SS-WinPE and other ISOs), I got a blue screen.

I have not yet tried ISOs other than SS-WinPE and Acronis.
Reply
#24
(10-16-2024, 03:54 PM)Van Flusen Wrote: This solution will also only work for a short time:

The enforcement phase of the Secure Boot changes related to CVE-2023-24932 will start in a few weeks.

The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices.
These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

https://support.microsoft.com/en-gb/topi...ion5025885

Well, shit.  I knew that was too good to be true.  Sorry, I can't slog through the article just now, you seem to have a handle on the situation, does this mean that the shim will no longer work even when Secure Boot is turned off? Or will it work as previously, when Secure Boot is turned off?
Reply
#25
All should work with SECURE BOOT off.
Reply
#26
(10-17-2024, 10:36 AM)Rootman Wrote:
(10-16-2024, 03:54 PM)Van Flusen Wrote: This solution will also only work for a short time:

The enforcement phase of the Secure Boot changes related to CVE-2023-24932 will start in a few weeks.

The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices.
These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

https://support.microsoft.com/en-gb/topi...ion5025885

Well, shit.  I knew that was too good to be true.  Sorry, I can't slog through the article just now, you seem to have a handle on the situation, does this mean that the shim will no longer work even when Secure Boot is turned off? Or will it work as previously, when Secure Boot is turned off?

If Secure Boot is disabled, there will be no problems with Ventoy in the future, as @FroggieTheGremlin already answered.

Provided Microsoft does not remove the option to disable Secure Boot in the future. [Image: huh.png]
Reply
#27
(10-17-2024, 03:01 AM)Epictetus Wrote: Thanks rootman, I for one was having the difficulties you surmised with following the information in the thread. Your simplified instructions however worked for me and I could now boot two separate USB/SSD sticks by replacing the ventoy.disk.img.xz file in my ventoy-1.0.99 install folder and with Secure Boot ON.

I could use Ventoy to boot with both sticks in to Segei Strelec Win PE ISO. BUT interestingly, while I could use Acronis True Image from INSIDE SS-WinPE, I could NOT get in to Acronis using a separate Acronis ISO. That is, Ventoy booted up just fine to the usual menu, but on trying to go from there to get in to (a separate) Acronis ISO (which I have on said sticks along with SS-WinPE and other ISOs), I got a blue screen.

I have not yet tried ISOs other than SS-WinPE and Acronis.


I have tried a couple of other ISOs and they boot - anyone got any idea why SOME ISOs boot and others don't?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)