New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[issue]: Booting Ventoy with Secure Boot support fails on Lenovo ThinkPad X280 #2692
Comments
same issue with dell xps13 9343 |
Same issue with ASUS TUF Gaming A15. |
Thanks for sharing, does this mean Ventoy needs to support the new SHIM? |
This happened to me just now,
7 days ago I was use ventoy to install windows 11 on my PC, after that I didn't change anything , now I was try to boot some Linux to test and I have this error, why this happened if all is same bios, configuration ? |
I'm on a Lenovo Ideapad 5 15iil05, running both Fedora 39 and Windows 11 with Secure Boot on and the latest BIOS installed. Having the same problem where booting into Ventoy with Secure Boot on (yes, the key is enrolled) just throws the I followed the instructions on the openSUSE help page that were sent here and that fixes it fine, but the moment I boot back into Fedora it updates the shim revocation list and I can no longer boot into Ventoy. |
Having the exact same problem! |
I have fixed this. Now everything is working fine. I cleared CMOS and reflashed the BIOS with the same (latest) version. After that, I installed Windows 11 and all updates. I checked again to see if any Windows update messed with Secure Boot, but it looks all fine. Ventoy is working. |
Warning, wall of text (sorry!): Here's what I've learned: Ventoy needs to update to Shim 15.8 because some systems were updated to that. I did a ton of research and from what I've found, it seems that in early February, Shim 15.8 was pushed out to address some security problems, and one of the things it does when installed is that it makes the system not be able to boot older Shim versions because they have security problems. The only way to get around this block list is to reset it using mokutil as detailed here or disable Secure Boot. The only distro I found that shipped Shim 15.8 is Fedora, so that means my hardware was updated with the new revocation list by Fedora (Fedora shipped it on March 12th, that's why I was booting a few weeks ago but not a few days ago). Not sure if Windows would do the same thing too. Not saying this happened to everyone, this is just my scenario. YMMV. I also did some testing, openSUSE Tumbleweed uses Shim 15.7 and despite supporting Secure Boot, I couldn't boot the latest ISO on my hardware too. So I am assuming that Ventoy uses Shim 15.7 as well and as such, I can't boot it with Shim 15.8 updating my Revocation List. TLDR: Shim 15.8 was released. Addresses security vulnerabilities. Part of the thing it does is when installed is to make the system not boot older Shims because security. This means you can't boot Ventoy if you installed the update since it uses an older Shim version. Some operating systems pushed out this update (but not all, Fedora is a definite yes). I mostly used these three sources to get my info: |
The secure boot bypass was not created by Ventoy (longpanda)
Windows update can push revocation of software but not as quickly updated as the Linux updates. It could be possible to find a new way to get secure boot on a newer shim, but I can't confirm or deny. |
I got the same error on my pc, it has worked just fine a week ago and I am on Windows 11. I did not change the configuration in UEFI, only thing that could probably have impacted this is updating Windows 11 is my guess? |
I got also same problem after boot with fedora iso and have found a workaround to fix it.
(If you want to restore ventoy, use update in ventoy gui) I tested fedora (40 daily build), arch, win 11 image with secure boot. |
I am going to try a make a PR that includes the x64 as well as aarch64 & ia32. |
This a temporary measure for amd64 architecture. Can it still function with grub named grubx64.efi? |
Because ventoy don't support secure boot for arm and mips (https://www.ventoy.net/en/doc_aarch64.html, https://www.ventoy.net/en/doc_mips64el.html), I think ia32 is enough.
grub.efi is not real grub, it's preloader for 64bit. Real grub efi files are grubx64_real.efi and grubia32_real.efi. |
I had this same issue in Zephyrus G16.
It worked and the Key enroll page appeared! |
I was able to install Ubuntu 24.04 using Ventoy, but hit that problem after booting the new system, then trying to boot Ventoy again. As @onenowy suggested, upgrading Ventoy's shim to 15.8 worked. But instead, I picked it from my newly installed Ubuntu 24.04, in |
are you meaning 15.8? |
Yes, typo, my bad.
I was able to boot from Ventoy and reinstall Ubuntu twice in row using shim 15.8 from Ubuntu 24.04. What's your error once you try to boot your iso? |
Tried PE and windows server 2022 iso, just a cursor flashing. |
Here's what I have: EFI/BOOT$ sha1sum *
3874085c8db41b48dbf29ce23b647feeb89b342f BOOTAA64.EFI
a9d468686be854bc40bb964c623e2368b1ce1d2e BOOTIA32.EFI
0d66084eed62fa4112c71d5147311410d3a6b04e BOOTMIPS.EFI
57bd685cd10578ddfbbc29f872e8dffc28cbce14 BOOTX64.EFI
19e997ac4b8b848a357520e8a38b0ec7cb5b0934 grub.efi
c18fc6f8cbe03bae95c73cdb58eae3c709a20b30 grubia32.efi
b0c95ae83302db23457dbb40c2554866ec29dd88 grubia32_real.efi
19e997ac4b8b848a357520e8a38b0ec7cb5b0934 grubx64.efi
d793229e156f74c969f1ea2f396ef7c6662b0501 grubx64_real.efi
1648c6015e4ad6c056ce31fba93da201da0a255c mmia32.efi
a57a083b21939c47d8606090ec0ff7395aad726c mmx64.efi
874ce4cf97ae45bff5758dd78029baef642c86d9 MokManager.efi signal-2024-04-28-101410-compressed.mp4 |
from ubuntu-24.04-desktop-amd64.iso
But I think it doesn't matter since the ventoy menu is correct. There must be other problems in my environment. there are 3 submenu after select iso file. with "boot in normal mode" and "boot in memdisk mode", it always failed. with "boot in wimboot mode", it works fine. |
Hi, Same error on my Lenovo X1 Carbon Gen 12. What's weird is the first boot out-of-the-box was fine after enrolling the key in the MOK, and I was able to install Ubuntu 24.04 without issues. I want to switch back over to Ubuntu 22.04 (for a few compatibility reasons) but I can no longer boot from the flash drive.I followed the steps mentioned by @onenowy and the clarification provided by @PikuZheng and can now successfully boot into Ventoy again. To summarize:
After rebooting, I was able to successfully boot from the flash drive. |
That's by design. IIRC, Shim>=15.8 (or Ubuntu itself, not sure) will blacklist shim<15.8 for security reasons upon boot/installation. That's why you have to upgrade shim on Ventoy for it to boot again |
After newly installing ventoy1.0.97 and replacing the BOOTX64.EFI and mmx64.efi files ( sha1 verification is the same as @robin-thoni), the boot menu appears, but the wim or iso file cannot be booted (normal mode). and copy or move grub.efi to grubx64.efi is necessary because only grubx64.efi will be searched by BOOTX64.EFI. and find this ValdikSS/Super-UEFIinSecureBoot-Disk#21. Hope this helps and gives me some advice on my issue. So....it works, but not completely? |
Official FAQ
Ventoy Version
1.0.96
What about latest release
Yes. I have tried the latest release, but the bug still exist.
Try alternative boot mode
No. I didn't try these alternative boot modes.
BIOS Mode
UEFI Mode
Partition Style
MBR
Disk Capacity
64GB
Disk Manufacturer
SanDisk
Image file checksum (if applicable)
None
Image file download link (if applicable)
No response
What happened?
Booting Ventoy with Secure Boot enabled on BIOS (and support enabled on Ventoy) fails with the following message:
The laptop is on latest BIOS (1.52 N20ET67W) and latest Ventoy (1.0.96)
The text was updated successfully, but these errors were encountered: