Ventoy with secure boot enabled once worked well. But now it doesn't work.

[Humber-186]

Dell G3 3590 laptop, UEFI.
64GB USB 2.0 Drive.
Firstly, secure boot enable. Secondly secure boot disabled.
debian-live-10.7.0-amd64-kde+nonfree.iso
Maybe similar to issue #533

Ventoy 1.0.18 with secure boot enabled worked well on my computer months ago, and I used it to install Ubuntu 20.04 successfully. Today I tried to use the same USB Drive with ventoy 1.0.18 in it to try Debian 10.7 live CD, but it failed to show the ventoy menu. Instead, Dell support software begin to check the hardware, finding no problem. Then, Dell Support Recovery OS started loading. It took a long time and I chose to reboot.

Again, began to check the hardware. I pressed to abort the check and got a blackscreen with a underscore blinking. Soon the computer rebooted. I can still press F12 to choose where to boot from but the result is same.

Update to ventoy 1.0.31 but nothing changes.
Fresh install ventoy 1.0.31 (using '-I') but nothing changes.

I tried again: hardware checking, Dell Support Recovery OS loading, and finally enter the Recovery OS. I inputed the Windows bitlocker key as it asked. It could only help me about Windows booting issues. So I chose to exit.

I tried one more time. The hardware check disappeared. This sentence appeared:

Operating System Loader signature found in SecureBoot exclusion database ('dbx'). All bootable devices failed Secure Boot verification.

I reinstalled ventoy 1.0.31 with secure boot disabled. Also, I disabled the secure boot from BIOS. This time the ventoy menu appeared. But when I chose debian*.iso file, I got an grub cmd line. I tried to input "boot" and it said "...no kernel..." (can't remember clearly).

I tried to update BIOS but nothing happened.

I also tried to use etcher to create a traditional bootable USB drive and it worked well (secure boot enabled at that time).

I'm very confused, mainly because ventoy once worked well on my computer.

Thank you in advance.

[paddylandau]

I have the same problem with Dell OptiFlex 5480.

The problem is that Dell doesn't recognise the UEFI signature for Ventoy, which is why you get this error.

Either Ventoy doesn't use a recognised signing certificate, and so needs to fix this, probably by using Microsoft's signing key (as, for example, Ubuntu does); or Dell has some quirk causing the error, and needs to fix this with a firmware update. I'm not technical, so I don't know how to tell which is the case.

There are two ways around this: Either install Ventoy's signing key into your Dell, which I don't know how to do, or temporarily turn off the UEFI Secure Boot. Both methods carry some small risk, but will be OK as long as you trust both Ventoy and your ISO downloads.

As we both have Dell, my workaround will probably work for you, too.

1. Reboot > F12 (Boot Options) > Change Boot Mode Settings > turn off UEFI
2. Reboot > F12 (Boot Options) > choose the Ventoy USB
3. Do what you need to do
4. Reboot > F12 (Boot Options) > Change Boot Mode Settings > turn on UEFI
5. Reboot into your system

It's important to remember step 4 before you boot into any other system.

[steve6375]

A recent Windows 10 update KB4535680 writes a hash key into the DBx (blacklist) database.
So if you recently ran Windows 10 on that system, it will have installed that update which is why it Secure booted OK before but not now.
You can usually use the BIOS menu system to clear the DBx blacklist from the firmware. If you do this and it then Secure Boots to Ventoy, then it proves that the blacklist was the cause.
Presumably the hash key used by the update matches the EFI file used on your Ventoy USB disk?

[paddylandau]

@steve6375 — I don't have Windows. I use Linux Ubuntu. However, it's entirely possible that Dell released the same update to Linux.

I checked my BIOS, and saw that it was updated once in September 2020 (when I purchased the computer), and again on 29 January 2021 (which was after the initial bug report, so that wasn't the cause).

I don't have the skills to remove the item from the BIOS, or even to know what the item would look like, so I'll have to stick with using the workaround for now. I'm certainly not going to remove the entire blacklist, because that would be insecure.

Is this something that we need to report to Dell, I wonder? If so, do you know how to report this, because I don't have the technical know-how to explain it in a bug report?

[steve6375]

The original poster did have windows as the system booted to bitlocker. Your issue is probably you did not enroll the hash key using mok manager as instructed on the ventoy website?

[paddylandau]

@steve6375 — I'm sorry, I don't know what that means.

I followed the installation instructions, and after reading the help from Ventoy2Disk program, I installed with secure boot support enabled (i.e. use -s when installing).

I know that I used the setting, because there's an EFI system partition on the USB, and Ventoy2Disk -l shows Secure Boot Support : YES.

Looking at the website, only now have I seen the Secure Boot instructions and reference to MOK. However, the screens that it displays in the instructions do not appear for me at all. Instead, I get the same problem as the OP, where the disk is outright rejected by the BIOS.

So, for me to add the key to the BIOS, I'd need to know how, because I'm not that technically skilled. I wouldn't even know how to start, sorry.

[ValdikSS]

Try to replace files on Ventoy EFI partition with the files from the archive and report back if it worked for you.
This is shim v15 from Fedora, while current Ventoy has shim v13.
try_1.zip

[paddylandau]

Try to replace files on Ventoy EFI partition with the files from the archive and report back if it worked for you.
This is shim v15 from Fedora, while current Ventoy has shim v13.
try_1.zip

@ValdikSS — Thank you for the advice.

When copying the files across, I noticed that while I already had BOOTX64.EFI (and so your version overwrote it), I didn't have mmx64.efi, so this was new on the USB. Does this mean that, somehow, my USB is only set up for 32-bit? Obviously, I have a 64-bit machine.

When I did as you instructed and rebooted, unfortunately, I still had the same problem.

I downloaded the latest version of Ventoy (1.0.36; I had 1.0.35). In case it makes a difference, I downloaded ventoy-1.0.36-linux.tar.gz from Github as instructed on the website. I did confirm the SHA hash. I installed Ventoy on the USB from scratch, completely overwriting what was there.

Here is the full list of files in /VTOYEFI/EFI/BOOT:

BOOTAA64.EFI
BOOTIA32.EFI
BOOTX64.EFI
MokManager.efi
grubia32.efi
grubia32_real.efi
grubx64.efi
grubx64_real.efi
mmia32.efi

As you can see, there is no mmx64.efi.

Unfortunately, I still had the same problem.

Looking on the USB, I see the file ENROLL_THIS_KEY_IN_MOKMANAGER.cer. Is this the MOK file that was being discussed earlier in this thread? Or is it something completely different?

Sorry for the rookie questions. I don't know how to deal with certificates, and if that is the MOK key, I have no idea how to install it.

[ValdikSS]

As you can see, there is no mmx64.efi.

That's ok, that's not an issue.

Could you provide a photo of the screen where you see the message? Check your UEFI settings if there's function to save dbx database (forbidden signature database for Secure Boot) to file on a flash drive. If it's possible, please post the file here.

[paddylandau]

@ValdikSS

That's ok, that's not an issue.

That's good.

Could you provide a photo of the screen where you see the message?

There's no message.

Normally, when I boot with a USB stick (e.g. with Ubuntu), at the boot screen, I press F12; after a few seconds, I choose the USB stick; then the computer boots from that stick.

But, with Ventoy, I press F12; after a few seconds, I choose the Ventoy USB stick; then the computer just reboots without any message at all, presumably concluding that the Ventoy stick fails Secure Boot.

Check your UEFI settings if there's function to save dbx database (forbidden signature database for Secure Boot) to file on a flash drive. If it's possible, please post the file here.

The BIOS allowed me to save the files onto the internal EFI partition. It gave four options: KEK, PK, db and dbx. I saved all of them.

I don't know if it's safe to post all of them to the internet (I presume that PK means "Private Key"), so if I put them in a ZIP, is it possible for me to PM them to you? Or, is it safe to post here?

Thank you for spending time on this!

[ValdikSS]

It's safe to post it here. All these files are public keys, not a private ones. PK is Platform Key. You can mail me at iam@valdikss.org.ru.

[paddylandau]

It's safe to post it here.

Thank you. I've attached the ZIP file.
Key exports.zip

You can mail me at…

It's probably best for you to remove your email address because of spam :)

[koelle25]

Hi, I had exactly the same error message as the OP on my Dell notebook (Operating System Loader signature found in SecureBoot exclusion database ('dbx').).

For me the following helped:

1. Enter BIOS/UEFI Settings
2. Go to "Secure Boot" -> "Custom Mode"
3. Enable "Custom Mode"
4. Click on "Reset all keys"

Then, after a reboot and booting via Ventoy USB drive the blue "Security Violation" screen mentioned on Secure Boot instructions appeared and I could follow the guide to install/enroll the MOK key file (ENROLL_THIS_KEY_IN_MOKMANAGER.cer).

After another reboot I could successfully boot into the Ventoy menu and boot an ISO (in my case Windows 10).