Posts: 4
Threads: 3
Joined: Jul 2022
Reputation:
0
08-24-2022, 12:48 PM
My laptop Secure-Boot menus contain a few places that allow me to load the ventoy .cer file, which I did (it shows up with the name "grub"). I was a bit confused during the add process though, since it prompts me for a UUID number before allowing the add.
Anyhow - I still get the red "bad sig" error and it won't boot ventoy.
Does anyone have suggestions for how to get this to work?
If you need me to help get this working, I'm happy to do screenshots and experiments etc.
Posts: 1,357
Threads: 85
Joined: Apr 2020
Reputation:
132
It should be that: The BIOS firmware trust BOOTX64.EFI (it's actually shim.efi) then BOOTX64.EFI trust grubx64.efi.
So the Ventoy .cer file is for BOOTX64.EFI to trust grubx64.efi not for the BIOS.
The BOOTX64.EFI was already signatured by Microsoft Key and should be trusted by the BIOS firmware by default.
If your BIOS report bad sig that means that your BIOS doesn't trust BOOTX64.EFI anymore.
It may because that Microsoft add the BOOTX64.EFI to the dbx and after you update Windows the dbx info will write to your motherboard and then when reboot
your BIOS find that the BOOTX64.EFI's hash is in the dbx so it refuse to boot it and report bad sig.
So what you need it to make your BIOS trust BOOTX64.EFI in some way.
Posts: 4
Threads: 3
Joined: Jul 2022
Reputation:
0
@longpanda - awesome reply!!
My BIOS has complete control over loading, appending, exporting, and deleting Secure-Boot certificates and hashes etc.
Would you (or anyone else reading this) be able to upload the certificate or other thing that I need to import to get this going ?
I already exported everything in my BIOS (abundance-of-caution-backup before adding the ENROLL_THIS_KEY_IN_MOKMANAGER.cer in there.
The files BIOS wrote to my USB Stick include:
db
dbt
dbx
KEK
PK
If this forum can do photos, I'll upload all the screenshots of this after I reboot.
If we get this working, I'll also upload all the instructions, screenshots and other files that any other ASUS users might need to also get Ventoy working for them too.
Posts: 57
Threads: 9
Joined: May 2020
Reputation:
7
I don't know if I understood you correctly.
The latest Windows security update KB5012170 has updated the dbx database so that the Ventoy Secure Boot option no longer works.
On a Dell Optiplex I backed up the database, deleted the keys in the dbx database and loaded the default keys.
Ventoy Secure Boot Option works.
On an ASUS Prime x570 Pro, deleting the keys in the dbx database did not work.
I deleted all databases in key management and then loaded the default keys.
Ventoy Secure Boot Option works.