search

ventoy / Ventoy

A new bootable USB solution.
https://www.ventoy.net
GNU General Public License v3.0
60.38k stars 3.95k forks source link

[issue]: Unable to proceed with SecureBoot in serial_console mode #2784

Open ahussey-redhat opened 3 months ago

ahussey-redhat commented 3 months ago

Official FAQ

Ventoy Version

1.0.97

What about latest release

Yes. I have tried the latest release, but the bug still exist.

Try alternative boot mode

No. I didn't try these alternative boot modes.

BIOS Mode

UEFI Mode

Partition Style

MBR

Disk Capacity

32GB

Disk Manufacturer

Sandisk

Image file checksum (if applicable)

None

Image file download link (if applicable)

No response

What happened?

I am deploying RHEL on a Dell XR4000w (https://www.dell.com/support/manuals/en-au/poweredge-xr4000w/pexr4000w_ism_pub/witness-host-deployment?guid=guid-a2b82040-42d0-4c1a-a5cd-9b17f44343e3&lang=en-us).

I can successfully do this using a standard RHEL ISO, or by using a standard RHEL ISO + mkksiso to inject a kickstart file, but I would like to use Ventoy as it offers more flexibility.

When it boots from the USB I get the following screen - note that the XR4000w only has a serial console image

I attempt to follow the instructions at https://www.ventoy.net/en/doc_secure.html , but get the following error when I press [ENTER] image

If I press enter again or the timeout exceeds, the host resets

ahussey-redhat commented 3 months ago

If I quickly press enter it progresses to this: image

I can select options, but the selected option isn't highlighted so I have to guess image

ahussey-redhat commented 3 months ago

After successful enrolment, everything seems to progress correctly

A question, unrelated to this issue - is it possible for Ventoy to modify the efiboot.img? In this environment the installer falls back to the UEFI config in that image, which means on boot I have to manually edit the boot menu to enable console=ttyS0,115200 . I have already defined the conf_replace files with the appropriate modifications

    "conf_replace": [
        {
            "iso": "/rhel-9.3-x86_64-dvd.iso",
            "org": "/isolinux/isolinux.cfg",
            "new": "/ventoy/isolinux.cfg"
        },
        {
            "iso": "/rhel-9.3-x86_64-dvd.iso",
            "org": "/isolinux/grub.conf",
            "new": "/ventoy/isolinux-grub.conf"
        },
        {
            "iso": "/rhel-9.3-x86_64-dvd.iso",
            "org": "/EFI/BOOT/grub.conf",
            "new": "/ventoy/efi-boot-grub.cfg"
        }
    ]

This is what I have to type in everytime I boot from the USB, even with the above modifications image

catherinedoyel commented 3 months ago

The Ventoy secure boot is based off of enrolling a Machine Owner Key (MOK). If someone gets root they can add files from the VTOYEFI partititon and rootkit your machine buy putting some of these files in your EFI system partition. As all Ventoy installations use the same MOK key and do not restrict what other binaries you can boot from. I like to think of the Ventoy secure boot support like a bolt cutter on a pad lock. To remove the key I would get this rpm you do not need to install this package just extract it & get KeyTool.efi from usr/share/efitools/efi put it on your Ventoy with your isos. You can then delete MOK with password 123 if it asks for it.

As for your boot configuration issue I would recommend putting attaching your conf & cfg files to the issue to take a closer look. You wouldn't want to edit the efiboot.img file directly.