Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
KB5012170: Security update for Secure Boot DBX
#1
After Windows update KB5012170 (August 9, 2022), Ventoy can no longer be booted with Secure boot enabled.

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

KB5012170
Reply
#2
Which versions of Ventoy are affected?
Reply
#3
(08-11-2022, 06:25 PM)Steve2926 Wrote: Which versions of Ventoy are affected?
 1.0.79
Reply
#4
I think I see the same issue. very recently I am unable to boot a ventoy USB disk.
The machine is a windows 10, BIOS is set to UEFI secure boot. BIOS cannot be changed but I think it can be if I set a BIOS password?

I have two USB disks. One is 1.0.74 and the other is 1.0.79 (installed yesterday). Both open a screen which is mostly empty, black.
At the center there is a shield outline (with a lock inside) and below it says "Security Boot Fail". No other option, no key works.

Assuming this issue is related to a recent windows update, what is the status of this issue?
Is there a plan to enable ventoy to boot with secure boot enabled?
Reply
#5
In the UEFI BIOS, you need to disable Secure Boot or clear the DBx database to remove the blacklist keys added by Windows Update.
Reply
#6
(09-03-2022, 06:04 AM)Van Flusen Wrote: In the UEFI BIOS, you need to disable Secure Boot or clear the DBx database to remove the blacklist keys added by Windows Update.
Is this a workaround while waiting for a proper update or a permanent solution? It is not described in the "About Secure Boot" doco where the old "enroll" instructions were removed.

I would rather not disable secure boot.
How do I clear a key in the DBx database (and which key should I disable)?

TIA
Reply
#7
There is no official solution.
There may be a new hack in the future, but it will only work until Microsoft adds it back to the DBx Blacklist.
It remains a cat and mouse game.

Read:
https://forums.ventoy.net/showthread.php?tid=2163

https://rmprepusb.blogspot.com/2022/08/m....html#more
Reply
#8
Clearing DBX is invalid.
Reply
#9
(09-16-2022, 02:04 PM)jiafei2427 Wrote: Clearing DBX is invalid.

Can you please elaborate on what 'is invalid' mean.
Reply
#10
You need BIOS intervention like downgrade or reset BIOS to solve your problem
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)