Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 Ventoy enroll key manager not working in new Dell laptops that use SecureBoot
#11
As nicgatsys said, there are no errors. When you select your ventoy device to boot from and Dell Secure Boot is enabled, it immediately just goes directly into Dell Diagnostics and start running a diagnostic scan. It will do this over and over and never boot the ventoy device until you disable secure boot.

I have 2 USB's running 1.0.99 and 1.0.94, they get the exact same result when trying to boot a new Dell laptop with secure boot enabled (it goes directly into diagnostics instead of booting ventoy). So I don't think any version will work with this.

Something has changed on the Dell side and Ventoy needs to be patched to be able to enroll the key again (as I stated in a previous post above).
Reply
#12
Did you see this? Does your BIOS have a config entry for this?

https://download.lenovo.com/pccbbs/mobil...re_PCs.pdf

Secure Boot is supported by many Linux distributions and is an important security
feature for ensuring that your boot loader and kernel have not been tampered with.

Linux distributions use a Microsoft signed ‘shim’ executable that is then able to verify
the subsequent boot stages - that have been signed with the distribution key. The
Microsoft signed shim is signed using the “Microsoft 3rd Party UEFI Certificate”, and
this certificate is stored in the BIOS database.

Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to
boot with secure boot enabled.

To enable secure boot to work with Linux we need to enable the “Allow Microsoft 3rd
Party UEFI CA” option in the BIOS setup.
Reply
#13
(08-03-2024, 11:28 AM)Steve2926 Wrote: Did you see this? Does your BIOS have a config entry for this?

https://download.lenovo.com/pccbbs/mobil...re_PCs.pdf

Secure Boot is supported by many Linux distributions and is an important security
feature for ensuring that your boot loader and kernel have not been tampered with.

Linux distributions use a Microsoft signed ‘shim’ executable that is then able to verify
the subsequent boot stages - that have been signed with the distribution key. The
Microsoft signed shim is signed using the “Microsoft 3rd Party UEFI Certificate”, and
this certificate is stored in the BIOS database.

Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to
boot with secure boot enabled.

To enable secure boot to work with Linux we need to enable the “Allow Microsoft 3rd
Party UEFI CA” option in the BIOS setup.


That option is actually available in the Dell bios and enabling it then allows you to enroll the Ventoy key.  Great find!  Thanks!
Reply
#14
(08-05-2024, 03:51 PM)MBSTech Wrote:
(08-03-2024, 11:28 AM)Steve2926 Wrote: Did you see this? Does your BIOS have a config entry for this?

https://download.lenovo.com/pccbbs/mobil...re_PCs.pdf

Secure Boot is supported by many Linux distributions and is an important security
feature for ensuring that your boot loader and kernel have not been tampered with.

Linux distributions use a Microsoft signed ‘shim’ executable that is then able to verify
the subsequent boot stages - that have been signed with the distribution key. The
Microsoft signed shim is signed using the “Microsoft 3rd Party UEFI Certificate”, and
this certificate is stored in the BIOS database.

Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to
boot with secure boot enabled.

To enable secure boot to work with Linux we need to enable the “Allow Microsoft 3rd
Party UEFI CA” option in the BIOS setup.


That option is actually available in the Dell bios and enabling it then allows you to enroll the Ventoy key.  Great find!  Thanks!

This workaround now no longer works.  We are now back where this thread started.  Must disable secureboot on Dell laptops in order to use Ventoy.

I really like Ventoy but this is eventually going to make me to find a different option for booting ISO's other than Ventoy.  Constantly turning secure boot off and on just to boot to an iso is getting old quickly.
Reply
#15
This was being tracked in GitHub at the following URL, but for some reason that issue was deleted:
https://github.com/ventoy/Ventoy/issues/2902

This issue is not resolved. Older versions of Ventoy don't have this issue.

On a Dell Latitude E6540, for example, which is from circa 2018, the "Allow Microsoft 3rd Party UEFI CA" option does not exist.

Disabling Secure Boot is not a solution, that's a workaround.

For now, I've downgraded to Ventoy 1.0.98, which still allows enrollment.

Possibly related: https://github.com/ventoy/Ventoy/issues/135
Reply
#16
Version 1.0.98 does not work for me. I still have to disable Secure Boot. ?????
Reply
#17
(09-04-2024, 11:28 PM)Epictetus Wrote: Version 1.0.98 does not work for me. I still have to disable Secure Boot. ?????

Do you see the MOK manager?
Reply
#18
Wondering if the issue with secure boot not working must be surrounding this incident? The timeline seems similar but unknown if related. Since Microsoft rotated secure boot keys, it's my guess that it's related.

https://www.tomshardware.com/software/se...200-models
Reply
#19
See possible shim workaround by a contributor. Others are reporting this works for now.

https://github.com/ventoy/Ventoy/issues/...2362323248
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)