search

ventoy / Ventoy

A new bootable USB solution.
https://www.ventoy.net
GNU General Public License v3.0
62.99k stars 4.1k forks source link

[issue]: Cannot boot with secureboot enabled #3006

Open flixman opened 4 weeks ago

flixman commented 4 weeks ago

Official FAQ

Ventoy Version

1.0.99

What about latest release

Yes. I have tried the latest release, but the bug still exist.

Try alternative boot mode

Yes. I have tried them, but the bug still exist.

BIOS Mode

UEFI Mode

Partition Style

MBR

Disk Capacity

64GB

Disk Manufacturer

HP

Image file checksum (if applicable)

None

Image file download link (if applicable)

No response

What happened?

I have flashed a new USB sticky with ventoy and I have tried to boot it with my computer. It has secure boot enabled + MOK for my own EFI signatures, and it has failed. If I run it with SB disabled, it boots successfully. I have then mounted the device on a folder and checked the EFI signatures:

# for i in kk/EFI/BOOT/*.{EFI,efi}; do echo $i; sbverify $i; done
kk/EFI/BOOT/BOOTAA64.EFI
No signature table present
Signature verification failed

kk/EFI/BOOT/BOOTIA32.EFI
warning: data remaining[609280 vs 742064]: gaps between PE/COFF sections?
No signature table present
Signature verification failed

kk/EFI/BOOT/BOOTMIPS.EFI
Invalid PE header magic
Can't open image kk/EFI/BOOT/BOOTMIPS.EFI

kk/EFI/BOOT/BOOTX64.EFI
warning: data remaining[827296 vs 953800]: gaps between PE/COFF sections?
Signature verification OK

kk/EFI/BOOT/MokManager.efi
warning: data remaining[734208 vs 852408]: gaps between PE/COFF sections?
Signature verification failed

kk/EFI/BOOT/grub.efi
warning: data remaining[53160 vs 64120]: gaps between PE/COFF sections?
Signature verification failed

kk/EFI/BOOT/grubia32.efi
warning: data remaining[46504 vs 58488]: gaps between PE/COFF sections?
Signature verification failed

kk/EFI/BOOT/grubia32_real.efi
No signature table present
Signature verification failed

kk/EFI/BOOT/grubx64_real.efi
No signature table present
Signature verification failed

kk/EFI/BOOT/mmia32.efi
warning: data remaining[555336 vs 678576]: gaps between PE/COFF sections?
Signature verification failed

so, for BOOTX64.EFI the signature check succeeds, but for grub.efi it does not. When listed, this is what I get

# sbverify --list kk/EFI/BOOT/grub.efi
warning: data remaining[53160 vs 64120]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /CN=grub
image signature certificates:
 - subject: /CN=grub
   issuer:  /CN=grub

So I assume that the certificate must be installed by mokmanager.efi, but when I list the certs for that one, I get the following:

# sbverify --list kk/EFI/BOOT/MokManager.efi 
warning: data remaining[734208 vs 852408]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
image signature certificates:
 - subject: /CN=SUSE Linux Enterprise Secure Boot Signkey/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
   issuer:  /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de

And, in my system, I have the default certificates that came with UEFI + an additional one through MOK. I am not sure the suse certificate is there (how can I check this?).

lutfor-diu commented 22 hours ago

Same. I also getting an error when secure boot is enabled.

ventoy commented 22 hours ago

Please try this CI release: https://github.com/ventoy/Ventoy/actions/runs/11868854580 https://www.ventoy.net/en/doc_github_ci.html