Login

Van Flusen · (This post was last modified: 08-11-2022, 04:38 PM by Van Flusen.)

After Windows update KB5012170 (August 9, 2022), Ventoy can no longer be booted with Secure boot enabled.

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the "Applies to" section. Key changes include the following:

Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

KB5012170

Steve2926 · 08-11-2022, 06:25 PM

Which versions of Ventoy are affected?

Van Flusen · 08-11-2022, 06:37 PM

(08-11-2022, 06:25 PM)Steve2926 Wrote: Which versions of Ventoy are affected?

1.0.79

eyal · 09-02-2022, 11:51 PM

I think I see the same issue. very recently I am unable to boot a ventoy USB disk.
The machine is a windows 10, BIOS is set to UEFI secure boot. BIOS cannot be changed but I think it can be if I set a BIOS password?

I have two USB disks. One is 1.0.74 and the other is 1.0.79 (installed yesterday). Both open a screen which is mostly empty, black.
At the center there is a shield outline (with a lock inside) and below it says "Security Boot Fail". No other option, no key works.

Assuming this issue is related to a recent windows update, what is the status of this issue?
Is there a plan to enable ventoy to boot with secure boot enabled?

Van Flusen · 09-03-2022, 06:04 AM

In the UEFI BIOS, you need to disable Secure Boot or clear the DBx database to remove the blacklist keys added by Windows Update.

eyal · 09-03-2022, 01:38 PM

(09-03-2022, 06:04 AM)Van Flusen Wrote: In the UEFI BIOS, you need to disable Secure Boot or clear the DBx database to remove the blacklist keys added by Windows Update.

Is this a workaround while waiting for a proper update or a permanent solution? It is not described in the "About Secure Boot" doco where the old "enroll" instructions were removed.

I would rather not disable secure boot.
How do I clear a key in the DBx database (and which key should I disable)?

TIA

Van Flusen · 09-03-2022, 02:34 PM

There is no official solution.
There may be a new hack in the future, but it will only work until Microsoft adds it back to the DBx Blacklist.
It remains a cat and mouse game.

Read:
https://forums.ventoy.net/showthread.php?tid=2163

https://rmprepusb.blogspot.com/2022/08/m....html#more

jiafei2427 · 09-16-2022, 02:04 PM

Clearing DBX is invalid.

eyal · 09-18-2022, 07:19 AM

(09-16-2022, 02:04 PM)jiafei2427 Wrote: Clearing DBX is invalid.

Can you please elaborate on what 'is invalid' mean.

nguyen ha thai trong · 09-18-2022, 09:59 AM

You need BIOS intervention like downgrade or reset BIOS to solve your problem

Login
Username:
Password:	Lost Password?
	Remember me