[issue]: Secure Boot: Your shim isn't properly signed. #1243
Comments
|
You can make an issue here: |
|
Can you supply screenshot of the error message or all and exact words displayed? |
|
I'm having the same issue. Edit: |
|
@ventoy |
|
@rwasef1830 Thanks a lot for that research! @ventoy I see that you've already updated Ventoy to the new UEFI boot https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/releases/tag/3-3 I will install https://github.com/ventoy/Ventoy/releases/tag/v1.0.76 on a USB stick and test it now! Hopefully this ticket will be closed after testing! :) |
|
@ventoy Hmm, I thought I had sent a message earlier with the results in June, which were not good. I spent days there, trying signed secure boot shims/files from openSUSE and Fedora in Ventoy with varying improvements. I was able to get further in the boot by replacing shims, and the BIOS accepted the signature when I had replaced the shim, but I was still never able to make the Ventoy menu appear, which I (at the time) assumed to be some result of incorrectly configured chainloader file paths in the replacement shims I used. I still never managed to solve that completely. I also tried resetting CMOS (BIOS settings) multiple times to no avail, and tried resetting/re-enrolling the default SecureBoot keys from the motherboard manufacturer multiple times, but that didn't fix Ventoy either. The funny thing at the time is that I WAS able to boot the actual distros the various signed shims came from. The problems with booting only happened when using Valdik's secureboot (Ventoy) instead of a distro. I did so much research, and have a list of related tickets here:
Now for the amazing news: I have solved it!It's related to old versions of AGESA ComboAm4Pi/ComboAm4v2Pi on AMD motherboards. That's the name of AMD's universal BIOS. The version that shipped on my motherboard always refused to boot Ventoy, specifically. I updated to the latest EFI BIOS for my MSI X570 Unify yesterday, and immediately Ventoy works in Secure Boot mode. This proves that some motherboards have either outdated EFI signing keys or outdated algorithms for checking the signatures of the chainloaded components, which could explain why the signing keys for Ventoy are invalid even though the shim itself is properly signed (and shim works with the old BIOS if only used for the distro it came from). This means that my final advice for everyone having issues is:
This has been a long journey. I will give you the honors of closing this ticket and adding the small note to the wiki. Thank you everyone who helped researching this difficult issue! Thank you Ventoy creators for an amazingly helpful program! ❤️ |
|
Here's some extra confirmation since someone asked me. I booted the newest Ventoy 1.0.86 in Secure Boot mode, effortlessly: |
|
Updating to a later bios does not prove anything because the update process may also change the bios settings. |
That's exactly what I did. I flashed probably 12 times with different old BIOS that all failed to boot Ventoy. I also did tons of BIOS resets and re-added default secureboot keys so many times. I even forcibly tried to use mokutil to force-add the Ventoy key while inside a Linux live USB, to add it to my BIOS manually. That didn't work either. As soon as I went to the newest BIOS, Ventoy's secure boot signature is now accepted immediately without any tweaking required, and works properly. |
I was able to do the mok key sign and installed Debian 12 successfully but when it asked to reboot, it went to grub then I booted the os but it showed some "[somenumber] blacklisted - Problem blacklisting hash - error code -13" or something like that. Note: I am using msi B550 pro vdh wifi motherboard and have forbidden Debian and ubuntu shim signatures as shown in the video above. Any idea what could help me? |
Official FAQ
Ventoy Version
1.0.61
What about latest release
Yes. I have tried the latest release, but the bug still exist. I have also done a clean reinstall of Ventoy (GPT + Secure Boot enabled).
BIOS Mode
UEFI Mode
Partition Style
GPT
Disk Capacity
32GB
Disk Manufacturer
No response
Image file checksum (if applicable)
No response
Image file download link (if applicable)
No response
What happened?
The VTOYEFI partition contains
EFI\BOOT\BOOTX64.efiwhich is apparently from Fedora and is supposed to be properly signed.It isn't.
The UEFI firmware refuses to boot the file, saying it has an invalid signature.
I then SUCCESSFULLY PROVED that it has an invalid signature.
I copied the openSUSE shim which comes directly from Microsoft. It is around 900kb. The shim you are using is 1.3mb (it has clearly been modified).
When I replaced the shim EFI file with the Microsoft shim from openSUSE, Ventoy began booting successfully.
Here is a thread where another user describes the exact error message due to Ventoy's invalid shim EFI file:
https://forums.ventoy.net/showthread.php?tid=1801&page=2
The broken shim will need fixing/replacing in Ventoy.
The text was updated successfully, but these errors were encountered: