After a few days (9?) I have an active account.
I hope that the content of the post I wrote on September 1st is still relevant.
Applies to: Ventoy ver. 1.0.99.
On August 31, 2024, Debian was updated (12.6 -> 12.7, 11.10 -> 11.11).
In these releases, among other things, shim packages were updated (to version 15.8, signed to 1.44+15.8).
Even oldoldstable Buster received an update: https://tracker.debian.org/pkg/shim-signed (sic!).
In these updates, to put it simply, shim numbers were raised from 2 to 4.
You can see these numbers by issuing the command:
mokutil --list-sbat-revocations
Debian was probably the last to do it.
Fedora, OpenSuse did it earlier.
Also Ubuntu/Mint/Clonezilla, which downloaded the latest shim from Debian Sid.
Even Windows reportedly released such an update on August 13.
Now that we have Secure Boot enabled (+ Ventoy UEFI key included) and new shim numbers in UEFI, we will not be able to start older systems (e.g. installed on a USB stick) that do not contain this update.
We will see the message:
Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation
and after a few seconds the computer will turn off by itself.
The only thing we can do then is to enter BIOS and disable Secure Boot or disconnect the USB drive with the older system (lower shim numbers).
We can also lower the shim number in the computer's UEFI (# mokutil --set-sbat-policy delete) or try to replace files in the Ventoy /EFI/BOOT/ directory ourselves.
Updating Ventoy on the updated system (shim 4) does nothing - Ventoy still has files from 2024-06-08 in the /EFI/BOOT/ directory.
That's why I think there's no point in trying to figure it out yourself.
A big request to Ventoy developers - update Ventoy.
Best regards.
I hope that the content of the post I wrote on September 1st is still relevant.
Applies to: Ventoy ver. 1.0.99.
On August 31, 2024, Debian was updated (12.6 -> 12.7, 11.10 -> 11.11).
In these releases, among other things, shim packages were updated (to version 15.8, signed to 1.44+15.8).
Even oldoldstable Buster received an update: https://tracker.debian.org/pkg/shim-signed (sic!).
In these updates, to put it simply, shim numbers were raised from 2 to 4.
You can see these numbers by issuing the command:
mokutil --list-sbat-revocations
Debian was probably the last to do it.
Fedora, OpenSuse did it earlier.
Also Ubuntu/Mint/Clonezilla, which downloaded the latest shim from Debian Sid.
Even Windows reportedly released such an update on August 13.
Now that we have Secure Boot enabled (+ Ventoy UEFI key included) and new shim numbers in UEFI, we will not be able to start older systems (e.g. installed on a USB stick) that do not contain this update.
We will see the message:
Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation
and after a few seconds the computer will turn off by itself.
The only thing we can do then is to enter BIOS and disable Secure Boot or disconnect the USB drive with the older system (lower shim numbers).
We can also lower the shim number in the computer's UEFI (# mokutil --set-sbat-policy delete) or try to replace files in the Ventoy /EFI/BOOT/ directory ourselves.
Updating Ventoy on the updated system (shim 4) does nothing - Ventoy still has files from 2024-06-08 in the /EFI/BOOT/ directory.
That's why I think there's no point in trying to figure it out yourself.
A big request to Ventoy developers - update Ventoy.
Best regards.