search

ventoy / Ventoy

A new bootable USB solution.
https://www.ventoy.net
GNU General Public License v3.0
63.16k stars 4.11k forks source link

Invalid signature detected. Check secure boot policy in setup #1666

Open SeriousHoax opened 2 years ago

SeriousHoax commented 2 years ago

Official FAQ

Ventoy Version

1.0.76

What about latest release

Yes. I have tried the latest release, but the bug still exist.

BIOS Mode

UEFI Mode

Partition Style

MBR

Disk Capacity

16

Disk Manufacturer

ADATA

Image file checksum (if applicable)

No response

Image file download link (if applicable)

No response

What happened?

I updated my motherboard's BIOS yesterday to the latest version F63b, which includes fixes for TPM related stuttering. https://www.gigabyte.com/Motherboard/B450M-S2H-rev-1x/support#support-dl-bios After that, my BIOS settings were changed and I had to restore keys to default in order to enable Secure Boot. I guess after that imported Ventoy certificate that I did a long time ago while installing Ventoy for the first time got removed. Now when I try to boot my Flash drive by selecting the ventoy partition which is partition 2 in my case, I can't get into ventoy. The BIOS throws an error saying, "Invalid signature detected. Check secure boot policy in setup". I can't go into the mokmanager to enroll certificate. I'm stuck. The only way to use Ventoy now is to disable secure boot. I guess the latest BIOS don't trust the certificate anymore. Anyway, I'm not an expert. Can you do something to fix this?

ventoy commented 2 years ago

Did you update your Ventoy to the latest 1.0.76 and make sure have enabled the Secure Boot Support option? Please upload a screenshot of the Ventoy2Disk.exe GUI here.

SeriousHoax commented 2 years ago

Did you update your Ventoy to the latest 1.0.76 and make sure have enabled the Secure Boot Support option? Please upload a screenshot of the Ventoy2Disk.exe GUI here.

Yes, I did both. I always update Ventoy when a new version is released. I have been using Ventoy for a while so I'm aware of this. I even completely removed from Ventoy from my flash drive and reinstalled it with version 1.0.75 and then updated it to 1.0.76 yesterday. Secure boot option is also enabled. But still getting the error. I'm not on my PC at the moment. I'll share the screenshot later if you want. But I'm sure I did my part correctly.

ventoy commented 2 years ago

OK. If you did right. Then it's not about the certificate, it's about the shim. https://github.com/ventoy/Ventoy/blob/master/INSTALL/EFI/BOOT/BOOTX64.EFI This file is actually a shim (v15-8), from Fedora, signed with Microsoft key.

Your BIOS reported Invalid signature detected it means that your BIOS doesn't trust the BOOTX64.EFI file. It should be accepted because it was signed with Microsoft key and almost all the BIOS will integrate Microsoft key by default.

Only the BIOS accept BOOTX64.EFI file and boot it, otherwise you have no chance to enroll the key. The enrolled Ventoy key is for other files, not for the BOOTX64.EFI file, because it was signed with Microsoft key and should be accepted by the BIOS by default.

SeriousHoax commented 2 years ago

Oh, I see. I tried the Enroll efi image option in my BIOS and selected the BOOTX64.EFI which then added it to something like Authorized certificate or something. Forgot the exact name. I thought it might work but it didn't. I'll share some screenshots later.

steve6375 commented 2 years ago

Does the BIOS have an option to 'Load default keys'?

SeriousHoax commented 2 years ago

Does the BIOS have an option to 'Load default keys'?

Yeah, I think it has. Should I try it?

steve6375 commented 2 years ago

yes.

SeriousHoax commented 2 years ago

yes.

There is "Restore Factory Keys". But no luck even after doing that.

SeriousHoax commented 2 years ago

Here are the screenshots.

Screenshot: ![1](https://user-images.githubusercontent.com/29574622/173393372-43ee79d9-f124-4ce9-b933-f6dffc92d5d6.png) ![2](https://user-images.githubusercontent.com/29574622/173393380-79ad91b8-f24d-473a-9c0c-373633d7786f.jpg) ![3](https://user-images.githubusercontent.com/29574622/173393420-86c532e0-e06e-45f0-a26f-0dbb46ef2113.jpg) ![4](https://user-images.githubusercontent.com/29574622/173393452-dd7dbbcd-d09b-49a8-bfbe-049dfa3300a1.jpg) ![5](https://user-images.githubusercontent.com/29574622/173393480-f37ad90f-f126-4cf0-9999-c853711ad089.jpg) ![6](https://user-images.githubusercontent.com/29574622/173393499-2ed2a14d-2cf9-4d27-bb7d-c47705505831.jpg) ![7](https://user-images.githubusercontent.com/29574622/173393508-6e531ae7-958c-4956-b8a1-4dff3d360fa1.jpg) ![8](https://user-images.githubusercontent.com/29574622/173393521-a69ee208-ad58-4b8d-97e8-fa3ecf6c0a0e.jpg) ![9](https://user-images.githubusercontent.com/29574622/173393546-0f71a7f0-b100-416e-98d7-5a37e1af98cf.jpg) ![10](https://user-images.githubusercontent.com/29574622/173393557-6b6c52a3-b7bd-44fe-ba39-6050e6eadb92.jpg) ![11](https://user-images.githubusercontent.com/29574622/173393573-925d3f78-ace0-4ce3-93f0-f98e36e67167.jpg)

rwasef1830 commented 2 years ago

@SeriousHoax try to erase the revocation key list in bios (forbidden keys)

SeriousHoax commented 2 years ago

@SeriousHoax try to erase the revocation key list in bios (forbidden keys)

It worked after deleting the fourth item on the list, which contains 183 forbidden signatures. There's no way to choose. It deletes all of them. I guess among these there are malicious signatures also which could be used by malware that attacks UEFI. Deleting all 183 of them is not an ideal solution, I suppose. Maybe a new certificate has to be used that's not blacklisted. Otherwise, users won't be able to use Super-UEFIinSecureBoot-Disk or Ventoy in the future. 11

rwasef1830 commented 2 years ago

Looks like they have 183 specific SHA256 hashes blacklisted. Probably the shim version used is one of them. My BIOS is the same also.

SeriousHoax commented 2 years ago

Looks like they have 183 specific SHA256 hashes blacklisted. Probably the shim version used is one of them. My BIOS is the same also.

Hmm, you're right, it seems. I hope the devs will be able to come up with a solution.

rwasef1830 commented 2 years ago

Another report here https://www.youtube.com/watch?v=w8r-U2C7UMs

SeriousHoax commented 2 years ago

Another report here https://www.youtube.com/watch?v=w8r-U2C7UMs

Oh, so they did this a while ago. MSI has even a larger blacklist.

ValdikSS commented 2 years ago

That's strange. No hash from this firmware version DBX database matches any file in SUISBD or Ventoy 1.0.76. The revoked certificates of Canonical, Debian and Virtual UEFI are also not used as well.

B450MS2H_dbx.bin.zip


$ dbxtool -l -d B450MS2H_dbx.bin
   1: {microsoft} {x509_cert} 3082042030820308a003020102020101300d06092a864886f70d01010b0500308184310b30090603550406130247423114301206035504080c0b49736c65206f66204d616e3110300e06035504070c07446f75676c617331173015060355040a0c0e43616e6f6e6963616c204c74642e3134303206035504030c2b43616e6f6e6963616c204c74642e204d617374657220436572746966696361746520417574686f72697479301e170d3132303431323131333930385a170d3432303431313131333930385a307f310b30090603550406130247423114301206035504080c0b49736c65206f66204d616e31173015060355040a0c0e43616e6f6e6963616c204c74642e31143012060355040b0c0b53656375726520426f6f74312b302906035504030c2243616e6f6e6963616c204c74642e2053656375726520426f6f74205369676e696e6730820122300d06092a864886f70d01010105000382010f003082010a0282010100c95f9b628f0bb06482acbec9e262e34bd29f1e8ad5611a2b5d38f4b7ceb99ab843b8439777ab4f7f0c70460bfc7f6dc66dea805e01d2b7661e87de0d6dd04197a8a5af0c634ff77cc252cca031a9bb895d991e466f5573b97669ecd7c1fc21d6c607e74fbd22dee4a85b2ddb95341997d6284b214ccabb1d79a6177f5af967e65c78453d106db017592611c557e37f4e82baf62c4ec8374dff85158447e0ed3b7c7fbcafe90105a70c6fc3e98da3cebea6e3cd3cb5582c9ec2031c60223739ff4102c129a46551ff3334aa4215f99578fc2df5da8a857c829dfb372c6ba5a8df7c550b802e3cb063e1cd384889e814060b82bcfdd407681b0f3ed915dd94111b0203010001a381a030819d300c0603551d130101ff04023000301f0603551d250418301606082b06010505070303060a2b0601040182370a0306302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041461482aa2830d0ab2ad5af10b7250da9033ddcef0301f0603551d23041830168014ad91990bc22ab1f517048c23b6655a268e345a63300d06092a864886f70d01010b050003820101008f8aa1061f29b70a4ad5c5fd81ab25eac07de2fc6a96a0799367ee050e251225e45af6aa1af112f3058d875ef15a5ccb8d2373651d15b9de226bd64967c9a3c6d7624e5cb5f903834081dc879c3c3f1c0d519f94650a844867e4a2f8a64af0e7cdcdbd94e309d25d2d161b05150bcb44b43e614222c42a5c4ec51da3e2e052b2ebf48b2bdc38395dfb88a156655f2b4f26ff06781012eb8c5d32e3c645af259ba0ff8eef4709a3e98b37929269767e343b9205674eb025edbc5e5f8fb4d6ca40ffe4e231230c8525ae0c5501ece5475edf5bbc1433e3c6f518b6d9f7ddb3b4a131d35a5c5d7d3ebf0ae4e4e8b4597d3bb48ca31bb520a3b93e846f8c2100c339
   2: {microsoft} {x509_cert} 3082048830820370a00302010202090d1c395ca7927a50c2300d06092a864886f70d01010b050030413110300e060355040b1307546f6c696d616e310e300c060355040a1305436973636f311d301b060355040313145669727475616c205545464920526f6f742043413020170d3138303430333137343733345a180f32303939303430333136313933305a303f310e300c060355040a0c05436973636f3110300e060355040b0c07416e7461726573311b301906035504030c125669727475616c205545464920537562434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b84d86d021a22b199f900aa67798315c1a57c0eb138d3e9361f2657ed1e68822cd08a58b184f9d2ff84b1e6891ef4c51c2f77f67f41946a789fd420fe1a4ce4b6a296740c867ec8fe9e0defcf0e2ad45f0d2a857bb8b0ba38a7355e357d3fcc2c48fea50fa82494866b1782ba24755483c6463b410ca6ba63b1375285603be793424e2151eecfb47dfd354b3f9136cf4eb20df105e1461110dddea9c00f946a893576705ed52fa577392728077b08a18665f5d38aa9e0c8a94934b10da0700314b9ab640d75f2c32925cb44b28da02128f1184b245a7169d527af119d3c9879b5073caccd5f7d35c268962a4f347ebf543ab1c9c9e007040a135f1cd78eac5b10203010001a38201813082017d300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100307e06082b0601050507010104723070304006082b060105050730028634687474703a2f2f7777772e636973636f2e636f6d2f73656375726974792f706b692f63657274732f76756566697263612e636572302c06082b060105050730018620687474703a2f2f706b696376732e636973636f2e636f6d2f706b692f6f637370301f0603551d23041830168014e01bc7aabac7da1108e90a6f15da521e630aed4830520603551d20044b30493047060a2b060104010915012b003039303706082b06010505070201162b687474703a2f2f7777772e636973636f2e636f6d2f73656375726974792f706b692f706f6c69636965732f30430603551d1f043c303a3038a036a0348632687474703a2f2f7777772e636973636f2e636f6d2f73656375726974792f706b692f63726c2f76756566697263612e63726c301d0603551d0e0416041413df2e3f54ebf347dcaecebf21d3cbb2355a4c9a300d06092a864886f70d01010b050003820101006191c18e5d3b877604881887dc31b5812a54f3d20bd21c85b98e1671847eb7b6bed45c5f6f0b3dcbeed51811ec86f570d6f50b27940f4bd27569bacb42cfb7690654d618fe8c82acac22ee61de8ede9760194ee24fe50f9fcd609fc809c3f61f5c2409c8cf7f0174b1d81856b56dc1b0509401cd1b352bf7159dac814b2f260c15f40dbb498bae6c71a2dd2eafb04f9097daae8a68cc2026bd3148264be403a56fb1066c5b650c47c7c22b648584c9bee2a0640eba6660fd212cf841e0d74437ce725f3424ca36c80fd9f665f3565bca83cafc81f40e47f8fa89d42bf6d3178c551ed2fd732f948975acd715f5ed9014bc155bda8c640c26c7b6f4b59f9ab8d7
   3: {microsoft} {x509_cert} 308202fc308201e4a003020102020500a7468def300d06092a864886f70d01010b05003020311e301c0603550403131544656269616e2053656375726520426f6f74204341301e170d3136303831363138323235305a170d3236303831363138323235305a3024312230200603550403131944656269616e2053656375726520426f6f74205369676e657230820122300d06092a864886f70d01010105000382010f003082010a0282010100d3d183900fda65a22f075a6095ebf7c7867c2086da65a3a612eb5b3bcec8fb3fa1724b9edf50c50333a40c2b5fd641040db6cf9548ed8ab2add6e501374e60cdb24a3804b3448094af9f6e54dba81f3cb74b30de21816f09a366ba6a2b96d69a61770cd4ed3cd071bbad8cf0225c3e25cc6d222e619795af9b2e4d58b67e7802c30eb9fab25b27de7da2be0c14ac73ec97b0155eedede5a5753f78e071ce2fce83ed533130984ee6f901a28888a623087c0db7543a1695ed5e795e904efecdaade82fcf696714e4949b9d3e9b0ab7fd72a47b75330277cdc6698096fd17ef57f3d3ed4a26a8859022f2f3dc8c628de42fed9523d24c2fc409811f676bf8cbb650203010001a3393037301106096086480186f842010104040302041030150603551d25040e300c060a2b0601040182370a0301300b0603551d0f040403020780300d06092a864886f70d01010b05000382010100571ba4604c29e9f27d6b5c93dbcc6c9f183f69489a75de64f3834a09a92621eee9565de13ed975cbcc7fbf4de4e8893d7e11428740c3d5e07179dc006ce17162c798c2cb270b2f9fccecfa8bb2f30b9ef3f2c3c99fdb259390a4cdbb01e58ef4d755a8b4754131fd4e5d0318a0c2acc5de46e7dc1ccf12d59de8479d938c32cd44d574c7309a57a556d07ecf0511b4f4f329f9db9b53d2bd2fad6a75264564baba2896878eb7f07957fa7a0e3c4a3892bcf295f2e728d0f7d8981a5e399eb56580bdf3da123f507667299fd10b0a1e87975c72dbf301744add07ba76e96afcdd22db4602d7af0ac5ed15bc0f2ba9db8dbf7f6fada2b7c54d4a47b3c15690b617
   4: {microsoft} {sha256} 80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
   5: {microsoft} {sha256} f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
   6: {microsoft} {sha256} c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
   7: {microsoft} {sha256} 1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
   8: {microsoft} {sha256} c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
   9: {microsoft} {sha256} 58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
  10: {microsoft} {sha256} 5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea
  11: {microsoft} {sha256} d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
  12: {microsoft} {sha256} d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
  13: {microsoft} {sha256} 29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
  14: {microsoft} {sha256} 90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c
  15: {microsoft} {sha256} 106faceacfecfd4e303b74f480a08098e2d0802b936f8ec774ce21f31686689c
  16: {microsoft} {sha256} 174e3a0b5b43c6a607bbd3404f05341e3dcf396267ce94f8b50e2e23a9da920c
  17: {microsoft} {sha256} 2b99cf26422e92fe365fbf4bc30d27086c9ee14b7a6fff44fb2f6b9001699939
  18: {microsoft} {sha256} 2e70916786a6f773511fa7181fab0f1d70b557c6322ea923b2a8d3b92b51af7d
  19: {microsoft} {sha256} 3fce9b9fdf3ef09d5452b0f95ee481c2b7f06d743a737971558e70136ace3e73
  20: {microsoft} {sha256} 47cc086127e2069a86e03a6bef2cd410f8c55a6d6bdb362168c31b2ce32a5adf
  21: {microsoft} {sha256} 71f2906fd222497e54a34662ab2497fcc81020770ff51368e9e3d9bfcbfd6375
  22: {microsoft} {sha256} 82db3bceb4f60843ce9d97c3d187cd9b5941cd3de8100e586f2bda5637575f67
  23: {microsoft} {sha256} 8ad64859f195b5f58dafaa940b6a6167acd67a886e8f469364177221c55945b9
  24: {microsoft} {sha256} 8d8ea289cfe70a1c07ab7365cb28ee51edd33cf2506de888fbadd60ebf80481c
  25: {microsoft} {sha256} aeebae3151271273ed95aa2e671139ed31a98567303a332298f83709a9d55aa1
  26: {microsoft} {sha256} c409bdac4775add8db92aa22b5b718fb8c94a1462c1fe9a416b95d8a3388c2fc
  27: {microsoft} {sha256} c617c1a8b1ee2a811c28b5a81b4c83d7c98b5b0c27281d610207ebe692c2967f
  28: {microsoft} {sha256} c90f336617b8e7f983975413c997f10b73eb267fd8a10cb9e3bdbfc667abdb8b
  29: {microsoft} {sha256} 64575bd912789a2e14ad56f6341f52af6bf80cf94400785975e9f04e2d64d745
  30: {microsoft} {sha256} 45c7c8ae750acfbb48fc37527d6412dd644daed8913ccd8a24c94d856967df8e
  31: {microsoft} {sha256} 81d8fb4c9e2e7a8225656b4b8273b7cba4b03ef2e9eb20e0a0291624eca1ba86
  32: {microsoft} {sha256} b92af298dc08049b78c77492d6551b710cd72aada3d77be54609e43278ef6e4d
  33: {microsoft} {sha256} e19dae83c02e6f281358d4ebd11d7723b4f5ea0e357907d5443decc5f93c1e9d
  34: {microsoft} {sha256} 39dbc2288ef44b5f95332cb777e31103e840dba680634aa806f5c9b100061802
  35: {microsoft} {sha256} 32f5940ca29dd812a2c145e6fc89646628ffcc7c7a42cae512337d8d29c40bbd
  36: {microsoft} {sha256} 10d45fcba396aef3153ee8f6ecae58afe8476a280a2026fc71f6217dcf49ba2f
  37: {microsoft} {sha256} 4b8668a5d465bcdd9000aa8dfcff42044fcbd0aece32fc7011a83e9160e89f09
  38: {microsoft} {sha256} 89f3d1f6e485c334cd059d0995e3cdfdc00571b1849854847a44dc5548e2dcfb
  39: {microsoft} {sha256} c9ec350406f26e559affb4030de2ebde5435054c35a998605b8fcf04972d8d55
  40: {microsoft} {sha256} b3e506340fbf6b5786973393079f24b66ba46507e35e911db0362a2acde97049
  41: {microsoft} {sha256} 9f1863ed5717c394b42ef10a6607b144a65ba11fb6579df94b8eb2f0c4cd60c1
  42: {microsoft} {sha256} dd59af56084406e38c63fbe0850f30a0cd1277462a2192590fb05bc259e61273
  43: {microsoft} {sha256} dbaf9e056d3d5b38b68553304abc88827ebc00f80cb9c7e197cdbc5822cd316c
  44: {microsoft} {sha256} 65f3c0a01b8402d362b9722e98f75e5e991e6c186e934f7b2b2e6be6dec800ec
  45: {microsoft} {sha256} 5b248e913d71853d3da5aedd8d9a4bc57a917126573817fb5fcb2d86a2f1c886
  46: {microsoft} {sha256} 2679650fe341f2cf1ea883460b3556aaaf77a70d6b8dc484c9301d1b746cf7b5
  47: {microsoft} {sha256} bb1dd16d530008636f232303a7a86f3dff969f848815c0574b12c2d787fec93f
  48: {microsoft} {sha256} 0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19
  49: {microsoft} {sha256} 95049f0e4137c790b0d2767195e56f73807d123adcf8f6e7bf2d4d991d305f89
  50: {microsoft} {sha256} 02e6216acaef6401401fa555ecbed940b1a5f2569aed92956137ae58482ef1b7
  51: {microsoft} {sha256} 6efefe0b5b01478b7b944c10d3a8aca2cca4208888e2059f8a06cb5824d7bab0
  52: {microsoft} {sha256} 9d00ae4cd47a41c783dc48f342c076c2c16f3413f4d2df50d181ca3bb5ad859d
  53: {microsoft} {sha256} d8d4e6ddf6e42d74a6a536ea62fd1217e4290b145c9e5c3695a31b42efb5f5a4
  54: {microsoft} {sha256} f277af4f9bdc918ae89fa35cc1b34e34984c04ae9765322c3cb049574d36509c
  55: {microsoft} {sha256} 0dc24c75eb1aef56b9f13ab9de60e2eca1c4510034e290bbb36cf60a549b234c
  56: {microsoft} {sha256} 835881f2a5572d7059b5c8635018552892e945626f115fc9ca07acf7bde857a4
  57: {microsoft} {sha256} badff5e4f0fea711701ca8fb22e4c43821e31e210cf52d1d4f74dd50f1d039bc
  58: {microsoft} {sha256} c452ab846073df5ace25cca64d6b7a09d906308a1a65eb5240e3c4ebcaa9cc0c
  59: {microsoft} {sha256} f1863ec8b7f43f94ad14fb0b8b4a69497a8c65ecbc2a55e0bb420e772b8cdc91
  60: {microsoft} {sha256} 7bc9cb5463ce0f011fb5085eb8ba77d1acd283c43f4a57603cc113f22cebc579
  61: {microsoft} {sha256} e800395dbe0e045781e8005178b4baf5a257f06e159121a67c595f6ae22506fd
  62: {microsoft} {sha256} 1cb4dccaf2c812cfa7b4938e1371fe2b96910fe407216fd95428672d6c7e7316
  63: {microsoft} {sha256} 3ece27cbb3ec4438cce523b927c4f05fdc5c593a3766db984c5e437a3ff6a16b
  64: {microsoft} {sha256} 68ee4632c7be1c66c83e89dd93eaee1294159abf45b4c2c72d7dc7499aa2a043
  65: {microsoft} {sha256} e24b315a551671483d8b9073b32de11b4de1eb2eab211afd2d9c319ff55e08d0
  66: {microsoft} {sha256} e7c20b3ab481ec885501eca5293781d84b5a1ac24f88266b5270e7ecb4aa2538
  67: {microsoft} {sha256} 7eac80a915c84cd4afec638904d94eb168a8557951a4d539b0713028552b6b8c
  68: {microsoft} {sha256} e7681f153121ea1e67f74bbcb0cdc5e502702c1b8cc55fb65d702dfba948b5f4
  69: {microsoft} {sha256} dccc3ce1c00ee4b0b10487d372a0fa47f5c26f57a359be7b27801e144eacbac4
  70: {microsoft} {sha256} 0257ff710f2a16e489b37493c07604a7cda96129d8a8fd68d2b6af633904315d
  71: {microsoft} {sha256} 3a91f0f9e5287fa2994c7d930b2c1a5ee14ce8e1c8304ae495adc58cc4453c0c
  72: {microsoft} {sha256} 495300790e6c9bf2510daba59db3d57e9d2b85d7d7640434ec75baa3851c74e5
  73: {microsoft} {sha256} 81a8b2c9751aeb1faba7dbde5ee9691dc0eaee2a31c38b1491a8146756a6b770
  74: {microsoft} {sha256} 8e53efdc15f852cee5a6e92931bc42e6163cd30ff649cca7e87252c3a459960b
  75: {microsoft} {sha256} 9fa4d5023fd43ecaff4200ba7e8d4353259d2b7e5e72b5096eff8027d66d1043
  76: {microsoft} {sha256} d372c0d0f4fdc9f52e9e1f23fc56ee72414a17f350d0cea6c26a35a6c3217a13
  77: {microsoft} {sha256} 5c5805196a85e93789457017d4f9eb6828b97c41cb9ba6d3dc1fcc115f527a55
  78: {microsoft} {sha256} 804e354c6368bb27a90fae8e498a57052b293418259a019c4f53a2007254490f
  79: {microsoft} {sha256} 03f64a29948a88beffdb035e0b09a7370ccf0cd9ce6bcf8e640c2107318fab87
  80: {microsoft} {sha256} 05d87e15713454616f5b0ed7849ab5c1712ab84f02349478ec2a38f970c01489
  81: {microsoft} {sha256} 06eb5badd26e4fae65f9a42358deef7c18e52cc05fbb7fc76776e69d1b982a14
  82: {microsoft} {sha256} 08bb2289e9e91b4d20ff3f1562516ab07e979b2c6cefe2ab70c6dfc1199f8da5
  83: {microsoft} {sha256} 0928f0408bf725e61d67d87138a8eebc52962d2847f16e3587163b160e41b6ad
  84: {microsoft} {sha256} 09f98aa90f85198c0d73f89ba77e87ec6f596c491350fb8f8bba80a62fbb914b
  85: {microsoft} {sha256} 0a75ea0b1d70eaa4d3f374246db54fc7b43e7f596a353309b9c36b4fd975725e
  86: {microsoft} {sha256} 0c51d7906fc4931149765da88682426b2cfe9e6aa4f27253eab400111432e3a7
  87: {microsoft} {sha256} 0fa3a29ad05130d7fe5bf4d2596563cded1d874096aacc181069932a2e49519a
  88: {microsoft} {sha256} 147730b42f11fe493fe902b6251e97cd2b6f34d36af59330f11d02a42f940d07
  89: {microsoft} {sha256} 148fe18f715a9fcfe1a444ce0fff7f85869eb422330dc04b314c0f295d6da79e
  90: {microsoft} {sha256} 1b909115a8d473e51328a87823bd621ce655dfae54fa2bfa72fdc0298611d6b8
  91: {microsoft} {sha256} 1d8b58c1fdb8da8b33ccee1e5f973af734d90ef317e33f5db1573c2ba088a80c
  92: {microsoft} {sha256} 1f179186efdf5ef2de018245ba0eae8134868601ba0d35ff3d9865c1537ced93
  93: {microsoft} {sha256} 270c84b29d86f16312b06aaae4ebb8dff8de7d080d825b8839ff1766274eff47
  94: {microsoft} {sha256} 29cca4544ea330d61591c784695c149c6b040022ac7b5b89cbd72800d10840ea
  95: {microsoft} {sha256} 2b2298eaa26b9dc4a4558ae92e7bb0e4f85cf34bf848fdf636c0c11fbec49897
  96: {microsoft} {sha256} 2dcf8e8d817023d1e8e1451a3d68d6ec30d9bed94cbcb87f19ddc1cc0116ac1a
  97: {microsoft} {sha256} 311a2ac55b50c09b30b3cc93b994a119153eeeac54ef892fc447bbbd96101aa1
  98: {microsoft} {sha256} 32ad3296829bc46dcfac5eddcb9dbf2c1eed5c11f83b2210cf9c6e60c798d4a7
  99: {microsoft} {sha256} 340da32b58331c8e2b561baf300ca9dfd6b91cd2270ee0e2a34958b1c6259e85
 100: {microsoft} {sha256} 362ed31d20b1e00392281231a96f0a0acfde02618953e695c9ef2eb0bac37550
 101: {microsoft} {sha256} 367a31e5838831ad2c074647886a6cdff217e6b1ba910bff85dc7a87ae9b5e98
 102: {microsoft} {sha256} 3765d769c05bf98b427b3511903b2137e8a49b6f859d0af159ed6a86786aa634
 103: {microsoft} {sha256} 386d695cdf2d4576e01bcaccf5e49e78da51af9955c0b8fa7606373b007994b3
 104: {microsoft} {sha256} 3a4f74beafae2b9383ad8215d233a6cf3d057fb3c7e213e897beef4255faee9d
 105: {microsoft} {sha256} 3ae76c45ca70e9180c1559981f42622dd251bca1fbe6b901c52ec11673b03514
 106: {microsoft} {sha256} 3be8e7eb348d35c1928f19c769846788991641d1f6cf09514ca10269934f7359
 107: {microsoft} {sha256} 3e3926f0b8a15ad5a14167bb647a843c3d4321e35dbc44dce8c837417f2d28b0
 108: {microsoft} {sha256} 400ac66d59b7b094a9e30b01a6bd013aff1d30570f83e7592f421dbe5ff4ba8f
 109: {microsoft} {sha256} 4185821f6dab5ba8347b78a22b5f9a0a7570ca5c93a74d478a793d83bac49805
 110: {microsoft} {sha256} 41d1eeb177c0324e17dd6557f384e532de0cf51a019a446b01efb351bc259d77
 111: {microsoft} {sha256} 45876b4dd861d45b3a94800774027a5db45a48b2a729410908b6412f8a87e95d
 112: {microsoft} {sha256} 4667bf250cd7c1a06b8474c613cdb1df648a7f58736fbf57d05d6f755dab67f4
 113: {microsoft} {sha256} 47ff1b63b140b6fc04ed79131331e651da5b2e2f170f5daef4153dc2fbc532b1
 114: {microsoft} {sha256} 57e6913afacc5222bd76cdaf31f8ed88895464255374ef097a82d7f59ad39596
 115: {microsoft} {sha256} 5890fa227121c76d90ed9e63c87e3a6533eea0f6f0a1a23f1fc445139bc6bcdf
 116: {microsoft} {sha256} 5d1e9acbbb4a7d024b6852df025970e2ced66ff622ee019cd0ed7fd841ccad02
 117: {microsoft} {sha256} 61cec4a377bf5902c0feaee37034bf97d5bc6e0615e23a1cdfbae6e3f5fb3cfd
 118: {microsoft} {sha256} 631f0857b41845362c90c6980b4b10c4b628e23dbe24b6e96c128ae3dcb0d5ac
 119: {microsoft} {sha256} 65b2e7cc18d903c331df1152df73ca0dc932d29f17997481c56f3087b2dd3147
 120: {microsoft} {sha256} 66aa13a0edc219384d9c425d3927e6ed4a5d1940c5e7cd4dac88f5770103f2f1
 121: {microsoft} {sha256} 6873d2f61c29bd52e954eeff5977aa8367439997811a62ff212c948133c68d97
 122: {microsoft} {sha256} 6dbbead23e8c860cf8b47f74fbfca5204de3e28b881313bb1d1eccdc4747934e
 123: {microsoft} {sha256} 6dead13257dfc3ccc6a4b37016ba91755fe9e0ec1f415030942e5abc47f07c88
 124: {microsoft} {sha256} 70a1450af2ad395569ad0afeb1d9c125324ee90aec39c258880134d4892d51ab
 125: {microsoft} {sha256} 72c26f827ceb92989798961bc6ae748d141e05d3ebcfb65d9041b266c920be82
 126: {microsoft} {sha256} 781764102188a8b4b173d4a8f5ec94d828647156097f99357a581e624b377509
 127: {microsoft} {sha256} 788383a4c733bb87d2bf51673dc73e92df15ab7d51dc715627ae77686d8d23bc
 128: {microsoft} {sha256} 78b4edcaabc8d9093e20e217802caeb4f09e23a3394c4acc6e87e8f35395310f
 129: {microsoft} {sha256} 7f49ccb309323b1c7ab11c93c955b8c744f0a2b75c311f495e18906070500027
 130: {microsoft} {sha256} 82acba48d5236ccff7659afc14594dee902bd6082ef1a30a0b9b508628cf34f4
 131: {microsoft} {sha256} 894d7839368f3298cc915ae8742ef330d7a26699f459478cf22c2b6bb2850166
 132: {microsoft} {sha256} 8c0349d708571ae5aa21c11363482332073297d868f29058916529efc520ef70
 133: {microsoft} {sha256} 8d93d60c691959651476e5dc464be12a85fa5280b6f524d4a1c3fcc9d048cfad
 134: {microsoft} {sha256} 9063f5fbc5e57ab6de6c9488146020e172b176d5ab57d4c89f0f600e17fe2de2
 135: {microsoft} {sha256} 91656aa4ef493b3824a0b7263248e4e2d657a5c8488d880cb65b01730932fb53
 136: {microsoft} {sha256} 91971c1497bf8e5bc68439acc48d63ebb8faabfd764dcbe82f3ba977cac8cf6a
 137: {microsoft} {sha256} 947078f97c6196968c3ae99c9a5d58667e86882cf6c8c9d58967a496bb7af43c
 138: {microsoft} {sha256} 96e4509450d380dac362ff8e295589128a1f1ce55885d20d89c27ba2a9d00909
 139: {microsoft} {sha256} 9783b5ee4492e9e891c655f1f48035959dad453c0e623af0fe7bf2c0a57885e3
 140: {microsoft} {sha256} 97a51a094444620df38cd8c6512cac909a75fd437ae1e4d22929807661238127
 141: {microsoft} {sha256} 97a8c5ba11d61fefbb5d6a05da4e15ba472dc4c6cd4972fc1a035de321342fe4
 142: {microsoft} {sha256} 992820e6ec8c41daae4bd8ab48f58268e943a670d35ca5e2bdcd3e7c4c94a072
 143: {microsoft} {sha256} 992d359aa7a5f789d268b94c11b9485a6b1ce64362b0edb4441ccc187c39647b
 144: {microsoft} {sha256} 9954a1a99d55e8b189ab1bca414b91f6a017191f6c40a86b6f3ef368dd860031
 145: {microsoft} {sha256} 9baf4f76d76bf5d6a897bfbd5f429ba14d04e08b48c3ee8d76930a828fff3891
 146: {microsoft} {sha256} 9c259fcb301d5fc7397ed5759963e0ef6b36e42057fd73046e6bd08b149f751c
 147: {microsoft} {sha256} 9dd2dcb72f5e741627f2e9e03ab18503a3403cf6a904a479a4db05d97e2250a9
 148: {microsoft} {sha256} 9ed33f0fbc180bc032f8909ca2c4ab3418edc33a45a50d2521a3b5876aa3ea2c
 149: {microsoft} {sha256} a4d978b7c4bda15435d508f8b9592ec2a5adfb12ea7bad146a35ecb53094642f
 150: {microsoft} {sha256} a924d3cad6da42b7399b96a095a06f18f6b1aba5b873b0d5f3a0ee2173b48b6c
 151: {microsoft} {sha256} ad3be589c0474e97de5bb2bf33534948b76bb80376dfdc58b1fed767b5a15bfc
 152: {microsoft} {sha256} b8d6b5e7857b45830e017c7be3d856adeb97c7290eb0665a3d473a4beb51dcf3
 153: {microsoft} {sha256} b93f0699598f8b20fa0dacc12cfcfc1f2568793f6e779e04795e6d7c22530f75
 154: {microsoft} {sha256} bb01da0333bb639c7e1c806db0561dc98a5316f22fef1090fb8d0be46dae499a
 155: {microsoft} {sha256} bc75f910ff320f5cb5999e66bbd4034f4ae537a42fdfef35161c5348e366e216
 156: {microsoft} {sha256} bdd01126e9d85710d3fe75af1cc1702a29f081b4f6fdf6a2b2135c0297a9cec5
 157: {microsoft} {sha256} be435df7cd28aa2a7c8db4fc8173475b77e5abf392f76b7c76fa3f698cb71a9a
 158: {microsoft} {sha256} bef7663be5ea4dbfd8686e24701e036f4c03fb7fcd67a6c566ed94ce09c44470
 159: {microsoft} {sha256} c2469759c1947e14f4b65f72a9f5b3af8b6f6e727b68bb0d91385cbf42176a8a
 160: {microsoft} {sha256} c3505bf3ec10a51dace417c76b8bd10939a065d1f34e75b8a3065ee31cc69b96
 161: {microsoft} {sha256} c42d11c70ccf5e8cf3fb91fdf21d884021ad836ca68adf2cbb7995c10bf588d4
 162: {microsoft} {sha256} c69d64a5b839e41ba16742527e17056a18ce3c276fd26e34901a1bc7d0e32219
 163: {microsoft} {sha256} cb340011afeb0d74c4a588b36ebaa441961608e8d2fa80dca8c13872c850796b
 164: {microsoft} {sha256} cc8eec6eb9212cbf897a5ace7e8abeece1079f1a6def0a789591cb1547f1f084
 165: {microsoft} {sha256} cf13a243c1cd2e3c8ceb7e70100387cecbfb830525bbf9d0b70c79adf3e84128
 166: {microsoft} {sha256} d89a11d16c488dd4fbbc541d4b07faf8670d660994488fe54b1fbff2704e4288
 167: {microsoft} {sha256} d9668ab52785086786c134b5e4bddbf72452813b6973229ab92aa1a54d201bf5
 168: {microsoft} {sha256} da3560fd0c32b54c83d4f2ff869003d2089369acf2c89608f8afa7436bfa4655
 169: {microsoft} {sha256} df02aab48387a9e1d4c65228089cb6abe196c8f4b396c7e4bbc395de136977f6
 170: {microsoft} {sha256} df91ac85a94fcd0cfb8155bd7cbefaac14b8c5ee7397fe2cc85984459e2ea14e
 171: {microsoft} {sha256} e051b788ecbaeda53046c70e6af6058f95222c046157b8c4c1b9c2cfc65f46e5
 172: {microsoft} {sha256} e36dfc719d2114c2e39aea88849e2845ab326f6f7fe74e0e539b7e54d81f3631
 173: {microsoft} {sha256} e39891f48bbcc593b8ed86ce82ce666fc1145b9fcbfd2b07bad0a89bf4c7bfbf
 174: {microsoft} {sha256} e6856f137f79992dc94fa2f43297ec32d2d9a76f7be66114c6a13efc3bcdf5c8
 175: {microsoft} {sha256} eaff8c85c208ba4d5b6b8046f5d6081747d779bada7768e649d047ff9b1f660c
 176: {microsoft} {sha256} ee83a566496109a74f6ac6e410df00bb29a290e0021516ae3b8a23288e7e2e72
 177: {microsoft} {sha256} eed7e0eff2ed559e2a79ee361f9962af3b1e999131e30bb7fd07546fae0a7267
 178: {microsoft} {sha256} f1b4f6513b0d544a688d13adc291efa8c59f420ca5dcb23e0b5a06fa7e0d083d
 179: {microsoft} {sha256} f2a16d35b554694187a70d40ca682959f4f35c2ce0eab8fd64f7ac2ab9f5c24a
 180: {microsoft} {sha256} f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
 181: {microsoft} {sha256} f48e6dd8718e953b60a24f2cbea60a9521deae67db25425b7d3ace3c517dd9b7
 182: {microsoft} {sha256} c805603c4fa038776e42f263c604b49d96840322e1922d5606a9b0bbb5bffe6f
 183: {microsoft} {sha256} 1f16078cce009df62edb9e7170e66caae670bce71b8f92d38280c56aa372031d
 184: {microsoft} {sha256} 37a480374daf6202ce790c318a2bb8aa3797311261160a8e30558b7dea78c7a6
 185: {microsoft} {sha256} 408b8b3df5abb043521a493525023175ab1261b1de21064d6bf247ce142153b9
 186: {microsoft} {sha256} 540801dd345dc1c33ef431b35bf4c0e68bd319b577b9abe1a9cff1cbc39f548f
SeriousHoax commented 2 years ago

@ValdikSS WoW! That's so strange. Maybe they have some other internal blacklist that's not being shown here? Can't think of anything else. BTW, just now I was able to get into Ventoy with Secure Boot enabled by using a silly method. Can't believe it worked. I used a MD5 hash changer app to change the hash of "BOOTX64.EFI" and placed it in "EFI\BOOT" folder in the Ventoy (VTOYEFI) partition, replacing the original one. Then used the "Enroll EFI image" option of my BIOS to enroll this new hashed "BOOTX64.EFI" which then was added into the BIOS's "Authorized Signatures" list, and now I can boot into Ventoy even with all 186 "Forbidden Signatures" enabled. Lol. This might not be the ideal solution, but it's working for me at the moment. Booted a Windows 11 and Macrium Reflect image with no issues.

ValdikSS commented 2 years ago

@SeriousHoax, are you completely sure you're running Ventoy 1.0.76? What's the sha256 hash of BOOTX64.EFI on your drive?

SeriousHoax commented 2 years ago

@SeriousHoax, are you completely sure you're running Ventoy 1.0.76? What's the sha256 hash of BOOTX64.EFI on your drive?

Yes, I am. As you can see from the screenshot I shared above. The sha256 hash is: e6cb6a3dcbd85954e5123759461198af67658aa425a6186ffc9b57b772f9158f

ValdikSS commented 2 years ago

@SeriousHoax, try these files. These are from just-released Fedora shim-15.6-1

test.zip

SeriousHoax commented 2 years ago

@SeriousHoax, try these files. These are from just-released Fedora shim-15.6-1

test.zip

First, I updated Ventoy to the latest 1.0.77 version which also shows the same error we're discussing here. Then I replaced the two file in my "G:\EFI\BOOT" with the files you gave above in the zip file. Restarted the system and followed the method described here: https://www.ventoy.net/en/doc_secure.html But the mokmanager keeps coming back instead of booting. Let me know if I did anything wrong: https://drive.google.com/file/d/1O_kQ8qmlGTpE-erhg-Jwpt7Cwpl1WRW_/view?usp=sharing

rwasef1830 commented 2 years ago

I think that means the grub itself also is blacklisted by the BIOS, so it ignores mokmanager's enrollment. @SeriousHoax

ValdikSS commented 2 years ago

@SeriousHoax, you're right, this seem like a regression of new shim. https://bugzilla.redhat.com/show_bug.cgi?id=1955416#c91

ValdikSS commented 2 years ago

@SeriousHoax, try this. BOOT.zip

rwasef1830 commented 2 years ago

@ValdikSS for some reason that file triggers ms defender, i wonder if it's intentional from ms

ValdikSS commented 2 years ago

@rwasef1830, virustotal says "undetected" on every file, including Microsoft.

SeriousHoax commented 2 years ago

@SeriousHoax, try this. BOOT.zip

Just tested. It works :)

SeriousHoax commented 2 years ago

@ValdikSS for some reason that file triggers ms defender, i wonder if it's intentional from ms

Is it detecting the zip file? MS Defender's ML has lately become super aggressive against zip files and producing a lot of false positives. It even detects harmless zip files often. Yesterday, it detected a zip file of mine upon downloading which only had 5 harmless screenshots of a poem. It has been troubling me a lot lately.

rwasef1830 commented 2 years ago

@SeriousHoax yes it's triggering on the zip file itself not the contents. it's very weird.

SeriousHoax commented 2 years ago

@SeriousHoax yes it's triggering on the zip file itself not the contents. it's very weird.

Hmm, so I'm not the only one. The thing is MS doesn't care about home users. Unless an enterprise customer complaints, they won't do anything to fix it. Anyway, let's not go off-topic. As you realized the file is harmless and Ventoy is working again with this so that's good news.

ValdikSS commented 2 years ago

https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/releases/tag/3-4 @ventoy ^^^

ValdikSS commented 2 years ago

https://github.com/ventoy/Ventoy/releases/tag/v1.0.78

Update Super-UEFIinSecureBoot-Disk to v3.4 (https://github.com/ventoy/Ventoy/issues/1695)

I guess this issue could also be closed.

AlvinZhu commented 2 years ago

@SeriousHoax, try this. BOOT.zip

Just tested. It works :)

https://github.com/ventoy/Ventoy/releases/tag/v1.0.78

Update Super-UEFIinSecureBoot-Disk to v3.4 (#1695)

I guess this issue could also be closed.

Yes. It works in most cases. include my intel NUC. But on my laptop, the Ubuntu or archlinux iso can not boot. when I try to boot archlinux-2022.07.01-x86_64.iso:

error: shim_lock protocol not found.
error: you need to load the kernel first.

the archlinux.iso can boot if I sign the bootloader(systemd-boot) and regeneration the iso.

when I try to boot ubuntu-22.04.1-desktop-amd64.iso:

error: can't allocate initrd.
Press any key to continue...

windows iso works.

even when I disable secure boot. So I guess that's why they Rollback Super-UEFIinSecureBoot-Disk to v3.3 in 1.0.79 release

FadeMind commented 2 years ago

Manjaro ISO cannot boot with BOOT files fix. Windows/WinPE boot fine. Ubuntu ISO boot fine.

Merennor commented 2 years ago

Ventoy 1.0.78 = Booting Ventoy 1.0.79 = Error (Invalid signature detected. Check Secure Boot Policy in setup) (BIOS: FX506LI ver. 310) / MBR + UEFI (Secure Boot Support)

DesktopMasters commented 2 years ago

@SeriousHoax, try this. BOOT.zip

I was on v75 when I encountered this problem on my test machine. Then upgraded to v79 and it did not resolve it.. I had to replace my files with the ones in the BOOT.zip to get it to work. Am I missing something or should the upgrade not have handled that?

justinkb commented 2 years ago

still a problem on 1.0.80 for me (hp laptop)

zengxinhui commented 2 years ago

still a problem on 1.0.80 for me (hp laptop)

1.0.80 and hp laptop as well here.

vordenken commented 2 years ago

Same Problem on HP Pavilion Laptop (preinstall Win11) and Ventoy 1.0.80

SeriousHoax commented 2 years ago

@SeriousHoax, try this. BOOT.zip

Just tested. It works :)

I have not updated Ventoy since this, which is version 1.0.78. It still works for me, so I'm sticking to this one unless there's a new version that works for all.

Arcitec commented 1 year ago

Solved: https://github.com/ventoy/Ventoy/issues/1243#issuecomment-1366812283

SeriousHoax commented 1 year ago

Solved: #1243 (comment)

Hello @Bananaman , So it's finally solved? Can we all now update to the latest version of Ventoy without any issue?

DesktopMasters commented 1 year ago

đź‘Ťđź‘Ś

Arcitec commented 1 year ago

Hello @Bananaman , So it's finally solved? Can we all now update to the latest version of Ventoy without any issue?

I have the latest Ventoy 1.0.86 released December 24th, yes.

image

The "Option: Secure Boot" is enabled, and style is set to GPT.

Booted it with Secure Boot enabled in my motherboard's UEFI-mode BIOS (without legacy BIOS support). Ventoy came up without any errors. I then booted Fedora 37's ISO from Ventoy. And then inside Fedora I ran sudo mokutil --sb-state which confirmed that Secure Boot is enabled.

Ventoy is definitely working. But I cannot guarantee that your particular motherboard contains a fixed BIOS, so you must be sure to first update your BIOS to the latest version. Old AMD BIOS don't support Ventoy's secure boot. That's the issue that affected me before I updated my BIOS.

Arcitec commented 1 year ago

The error you're seeing is related to the BIOS, not Ventoy. Try a full update of your BIOS, a full CMOS reset, re-enroll default keys, and be sure that your BIOS is set to a Secure Boot mode that allows you to enroll more keys. In some BIOS you may have to enable some "Custom Secure Boot" mode to let it enroll keys, otherwise the motherboard will refuse custom keys and will only use Microsoft's Windows keys. Good luck. :)

The boot process is: Ventoy boots via SHIM (works on all sufficienty-updated motherboards, and it's signed by Microsoft's key). The SHIM then runs MokUtil to enroll the custom Ventoy signing key. Then it finally boots Ventoy.

Multimedia33 commented 4 months ago

j'ai déjà rencontré ce type de soucis avec signature non validée détectée après une mis a jour MS . le problème venait du bios qui une fois la mise à jour faite, le bios s'est mis en état d'usine , par défaut., le pc ne voulait plus démarrer car le disque était protégé tout simplement par bitlocker. une fois la clé désactivé le pc a redémarré et j'ai donc pu remettre le bitlocker .