08-24-2022, 12:56 PM
It should be that: The BIOS firmware trust BOOTX64.EFI (it's actually shim.efi) then BOOTX64.EFI trust grubx64.efi.
So the Ventoy .cer file is for BOOTX64.EFI to trust grubx64.efi not for the BIOS.
The BOOTX64.EFI was already signatured by Microsoft Key and should be trusted by the BIOS firmware by default.
If your BIOS report bad sig that means that your BIOS doesn't trust BOOTX64.EFI anymore.
It may because that Microsoft add the BOOTX64.EFI to the dbx and after you update Windows the dbx info will write to your motherboard and then when reboot
your BIOS find that the BOOTX64.EFI's hash is in the dbx so it refuse to boot it and report bad sig.
So what you need it to make your BIOS trust BOOTX64.EFI in some way.
So the Ventoy .cer file is for BOOTX64.EFI to trust grubx64.efi not for the BIOS.
The BOOTX64.EFI was already signatured by Microsoft Key and should be trusted by the BIOS firmware by default.
If your BIOS report bad sig that means that your BIOS doesn't trust BOOTX64.EFI anymore.
It may because that Microsoft add the BOOTX64.EFI to the dbx and after you update Windows the dbx info will write to your motherboard and then when reboot
your BIOS find that the BOOTX64.EFI's hash is in the dbx so it refuse to boot it and report bad sig.
So what you need it to make your BIOS trust BOOTX64.EFI in some way.