So that means that Ventoy will need to use a different key indeed. check manjaro-gnome, not working. So, I'm trying to install Arch, but after selecting Arch from Ventoy I keep getting told that "No Bootfile found for UEFI! unsigned .efi file still can not be chainloaded. And that is the right thing to do. Attached Files Thumbnail (s) Find Reply Steve2926 Senior Member Background Some of us have bad habits when using USB flash drive and often pull it out directly. How to make sure that only valid .efi file can be loaded. chromeos_14816.99.0_reven_recovery_stable-channel_mp-v2.bin fails to boot on BIOS & UEFI. Won't it be annoying? Open File Explorer and head to the directory where you keep your boot images. As Ventoy itself is not signed with Microsoft key. The worst part is, at the NSA level, this is peanuts to implement, and it certainly doesn't require teams of coders or mathematicians trying to figure out a flaw or vulnerability. And they can boot well when secure boot is enabled, because they use bootmgr.efi directly from Windows iso. How did you get it to be listed by Ventoy? I was just objecting to your claim that Secure Boot is useless when someone has physical access to the device, which I don't think is true, as it is still (afaik) required for TPM-based encryption to work correctly. Ctrl+i to change boot mode of some ISOs to be more compatible Ctrl+w to use wimboot to boot Windows and WinPE ISOs (e.g. it doesn't support Bluetooth and doesn't have nvidia's proprietary drivers but it's very easy to install. legacy - ok This means current is ARM64 UEFI mode. UEFI Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. Intel Sunrise Point-LP, Intel Kaby Lake-R, @chromer030 Your favorite, APorteus was done with legacy & UEFI It woks only with fallback graphic mode. I don't remember if the shortcut is ctrl i or ctrl r for grub mode. 2. Maybe we should just ask the user 'This file is not signed by Microsoft for 'Secure Boot' - do you still wish to boot from it?' Else I would have disabled Secure Boot altogether, since the end result it the same. The text was updated successfully, but these errors were encountered: Please give the exact iso file name. Preventing malicious programs is not the task of secure boot. You can put the iso file any where of the first partition. This ISO file doesn't change the secure boot policy. If someone has physical access to a system and that system is enabled to boot from a USB drive, then all they need to do is boot to an OS such as Ubuntu or WindowsPE or WindowsToGo from that USB drive (these OS's are all signed and so will Secure boot). The injection is just like that I extract the ubuntu.iso and change/add some script and create an new ISO file. Vmware) with UEFI mode and to confirm that the ISO file does support UEFI mode. Option 2 will be the default option. Minor one: when you try to start unsigned .efi executable, error message is shown for a very brief time and quickly disappears. https://osdn.net/projects/manjaro/storage/kde/, https://abf.openmandriva.org/platforms/cooker/products/4/product_build_lists/3250, https://abf.openmandriva.org/product_build_lists, chromeos_14816.99.0_reven_recovery_stable-channel_mp-v2.bin, https://github.com/rescuezilla/rescuezilla/releases/download/2.4/rescuezilla-2.4-64bit.jammy.iso, https://nyancat.fandom.com/wiki/MEMZ_Nyan_Cat, https://www.youtube.com/watch?v=-mv6Cbew_y8&t=1m13s, https://mega.nz/folder/TI8ECBKY#i89YUsA0rCJp9kTClz3VlA. I would say that it probably makes sense to first see what LoadImage()/StarImage() let through in an SB enabled environment (provided that this is what Ventoy/GRUB uses behind the scenes, which I'm not too sure about), and then decide if it's worth/possible to let users choose to run unsigned bootloaders. However the solution is not perfect enough. Format XFS in Linux: sudo mkfs -t xfs /dev/sdb1, It may be related to the motherboard USB 2.0/3.0 port. sol-11_3-live-x86.iso | 1.22 GB, gnewsense-live-4.0-amd64-gnome.iso | 1.10 GB, hyperbola-milky-way-v0.3.1-dual.iso | 680 MB, kibojoe-17.09final-stable-x86_64-code21217.iso | 950 MB, uruk-gnu-linux-3.0-2020-6-alpha-1.iso | 1.35 GB, Redcore.Linux.Hardened.2004.KDE.amd64.iso | 3.5 GB, Drauger_OS-7.5.1-beta2-AMD64.iso | 1.8 GB, MagpieOS-Gnome-2.4-Eva-2018.10.01-x86_64.iso | 2.3 GB, kaisenlinuxrolling1.0-amd64.iso | 2.80 GB, chakra-2019.09.26-a022cb57-x86_64.iso | 2.7 GB, Regata_OS_19.1_en-US.x86_64-19.1.50.iso | 2.4 GB. @chromer030 hello. What exactly is the problem? Hi, Hiren's Boot CD can be booted by Ventoy in Memdisk mode, you try Ventoy 1.0.08 beta2. https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532. Most of modern computers come with Secure Boot enabled by default, which is a requirement for Windows 10 certification process. I downloaded filename Win10_21H2_BrazilianPortuguese_x64.iso So as @pbatard said, the secure boot solution is a stopgap and that's why Ventoy is still at 1.0.XX. If you have a faulty USB stick, then youre likely to encounter booting issues. It looks like that version https://github.com/ventoy/Ventoy/releases/tag/v1.0.33 fixes issue with my thinkpad. Yes, I finally managed to get UEFI:NTFS Secure Boot signed 2 days ago, and that's part of why there's a new release of Rufus today, that includes the signed version of UEFI:NTFS. 1.0.84 UEFI www.ventoy.net ===> Porteus-CINNAMON-v4.0-x86_64.iso - 321 MB, APorteus-MULTI-v20.03.19-x86_64.iso - 400 MB, Fedora-Security-Live-x86_64-32_Beta-1.2.iso - 1.92 GB, Paragon_Hard_Disk_Manager_15_Premium_10.1.25.1137_WinPE_x64.iso - 514 MB, pureos-9.0-plasma-live_20200328-amd64.hybrid.iso - 1.65 GB, pfSense-CE-2.4.5-RELEASE-amd64.iso - 738 MB, FreeBSD-13.0-CURRENT-amd64-20200319-r359106-disc1.iso - 928 MB, wifislax64-1.1-final.iso - 2.18 GB list vol - select vol of EFI (in my case nr 14) as illustrated - assign - EFI drive is mounted as Q: Also possible is: After booting with Win10XPE from RAMDISK the Hidden EFI Driv 4. ext2fsd Seriously? They can't eliminate them totally, but they can provide an additional level of protection. You were able to use TPM for disk encryption long before Secure Boot, and rightfully so, since the process of storing and using data encryption keys is completely different from the process of storing and using trust chain keys to validate binary executables (being able to decrypt something is very different from being able to trust something). So, Secure Boot is not required for TPM-based encryption to work correctly. When install Ventoy, maybe an option for user to choose. That's theoretically feasible but is clearly banned by the shim/MS. So maybe Ventoy also need a shim as fedora/ubuntu does. It should be specially noted that, no matter USB drive or local disk, all the data will be lost after install Ventoy, please be very careful. en_windows_10_business_editions_version_2004_updated_may_2020_x64_dvd_aa8db2cc.iso Ventoy Version 1.0.78 What about latest release Yes. Any progress towards proper secure boot support without using mokmanager? Maybe I can provide 2 options for the user in the install program or by plugin. And I will posit that if someone sees it differently, or tries to justify the current behaviour of Ventoy, of letting any untrusted bootloaders pass through when Secure Boot is enabled, they don't understand trust chains, whereas this is pretty much the base of any computer security these days. But when I try to boot it with ventoy it does not boot and says the message "No bootfile found for UEFI". Can I reformat the 1st (bigger) partition ? In this quick video guide I will show you how to fix the error:No bootfile found for UEFI!Maybe the image does not support X64 UEFI!I had this problem on my . You can copy several ISO files at a time, and Ventoy will offer a boot menu where you can select them. Menu. Rename it as MemTest86_64.efi (or something similar). Customizing installed software before installing LM. It was working for hours before finally failing with a non-specific error. I still don't know why it shouldn't work even if it's complex. All the .efi/kernel/drivers are not modified. It says that no bootfile found for uefi. Is there a way to force Ventoy to boot in Legacy mode? If you want you can toggle Show all devices option, then all the devices will be in the list. Well occasionally send you account related emails. By the way, this issue could be closed, couldn't it? So maybe Ventoy also need a shim as fedora/ubuntu does. The live folder is similar to Debian live. Format NTFS in Windows: format x: /fs:ntfs /q @adrian15, could you tell us your progress on this? Code that is subject to such a license that has already been signed might have that signature revoked. Yeah, I think UEFI LoadImage()/StarImage(), which is what you'd call to chain load the UEFI bootloader, are set to validate the loaded image for Secure Boot and not launch it for unsigned/broken images, if Secure Boot is enabled (but I admit I haven't formally validated that). Have a question about this project? Interestingly enough, the ISO does contain the efi files as I made sure to convert the whole IMG, which on the other hand is the basis for the creation of a memtest flash drive. plist file using ProperTree. It was actually quite the struggle to get to that stage (expensive too!) ***> wrote: Ventoy up to 1.0.12 used the /dev/mapper/ventoy approach to boot. Reply. 1.0.84 IA32 www.ventoy.net ===> However, because no additional validation is performed after that, this leaves system wild open to malicious ISOs. 1. What you want is for users to be alerted if someone picked a Linux or Microsoft media, and the UEFI bootloader was altered from the original. After the reboot, select Delete MOK and click Continue. Using Ventoy-1.0.08, ubuntudde-20.04-amd64-desktop.iso is still unable to boot under uefi. Level 1. Sign in And of course, by the same logic, anything unsigned should not boot when Secure Boot is active. @pbatard, if that's what what your concern, that could be easily fixed by deleting grubia32.efi and grubx64.efi in /EFI/BOOT, and renaming grubia32_real.efi grubia32.efi, grubx64_real.efi grubx64.efi. As I understand, you only tested via UEFI, right? Secure Boot is supported since Ventoy-1.0.07, please use the latest version and see the Notes. Option 1: Completly by pass the secure boot like the current release. Adding an efi boot file to the directory does not make an iso uefi-bootable. Already on GitHub? I can 3 options and option 3 is the default. Help !!!!!!! This filesystem offers better compatibility with Window OS, macOS, and Linux. Maybe the image does not support X64 UEFI! For instance, someone could produce a Windows installation ISO that contains a malicious /efi/boot/bootx64.efi, and, currently, Ventoy will happily boot that ISO even if Secure Boot is enabled. Download ventoy-delete-key-1..iso and copy it to the Ventoy USB drive. Hi, Gentoo LiveDVD doesn't work, when I try to boot it, It's showing up the GRUB CLI By clicking Sign up for GitHub, you agree to our terms of service and Paragon ExtFS for Windows Users enabled Secure Boot to be warned if a boot loader fails Secure Boot validation, regardless of where that bootloader is executed from. 04-23-2021 02:00 PM. On Mon, Feb 22, 2021 at 12:25 PM Steve Si ***@***. You can change the type or just delete the partition. its existence because of the context of the error message. to your account, MB: GA-P110-D3, CPU: Intel Core i5 6400, RAM: 8GB DDR4, GPU: IGFX + NVIDIA GT730, MB: GA-H81M-S2PV, CPU : Intel Core i3 4650, RAM 8GB DDR3 GPU: IGFX, slitaz-rolling-core-5in1.iso In this situation, with current Ventoy architecture, nothing will boot (even Fedora ISO), because the validation (and loading) files signed with Shim certificate requires support from the bootloader and every chainloaded .efi file (it uses custom protocol, regular EFI functions can't be used. This file is not signed by Microsoft for 'Secure Boot' - do you still wish to boot from it? # Archlinux minimal Install with btrfs ## Introduction If you don't know about Arch Linux, and willing to learn, then check this post, - [Arch Linux](https://wiki . Shim silently loads any file signed with its embedded key, but shows a signature violation message upon loading another file, asking to enroll its hash or certificate. *lil' bow* If you use the Linux kernel's EFI stub loader or ELILO, you may need to store your kernel on the ESP, so creating an ESP on the large end of the scale is advisable. For instance, if you produce digitally signed software for Windows, to ensure that your users can validate that when they run an application, they can tell with certainty whether it comes from you or not, you really don't want someone to install software on the user computer that will suddenly make applications that weren't signed by you look as if they were signed by you. The user should be notified when booting an unsigned efi file. Besides, you can try a linux iso file, for example ubuntu-20.04-desktop-amd64.iso, I have the same for Memtest86-4.3.7.iso and ipxe.iso but works fine with netboot.xyz-efi.iso (v2.0.17), manjaro-gnome-20.0.3-200606-linux56.iso, Windows10_PLx64_2004.iso and HBCD_PE_x64.iso (v1.0.1) Lenovo Ideapad Z580. It looks cool. It's the job of Ventoy's custom GRUB to ensure that what is being chainloaded is Secure Boot compliant because that's what users will expect from a trustworthy boot application in a Secure Boot environment. if you want can you test this too :) Error message: I'm not talking about CSM. It is designed to protect a system against malicious code being loaded and executed early in the boot process, before the operating system has been loaded. Rik. Well occasionally send you account related emails. Tested on 1.0.77. Now there's no need to format the disk again and again or to extract anything-- with Ventoy simply copy the ISO file to the USB drive and boot it. And if you somehow let bootloaders that shouldn't be trusted through, such as unsigned ones, then it means your whole chain of trust is utterly broken, because there simply cannot even exist a special case for "USB" vs "something else". 1.0.84 AA64 www.ventoy.net ===> Then user will be clearly told that, in this case only distros whose bootloader signed with valid key can be loaded. Now, if Microsoft finally relinquished their abusive policy about not accepting GPLv3 code for Secure Boot signing and Ventoy was updated not to allow unsigned bootloaders when Secure Boot is enabled (i.e. But it shouldn't be to the user to do that. But of course, it's your choice to pick what you think is best for your users and the above is just one opinion on the matter. I tested Manjaro ISO KDE X64. In Windows, Ventoy2Disk.exe will only list the device removable and in USB interface type by default. ^^ maybe a lenovo / thinkpad / thinkcentre issue ? Win10UEFI+GPTWin10UEFIWin7 In Windows, some processes will occupy the USB drive, and Ventoy2Disk.exe cannot obtain the control right of the USB drive, so that the device cannot be listed. Hi, thanks for your repley boot i have same error after menu to start hdclone he's go back to the menu with a black windows saying he's loading the iso file to mem and that it freez. If that is not the case already, I would also strongly urge everyone to consider the problem not as "People who want Secure Boot should perform extra steps to ensure that only signed executable will boot" but instead as "People who don't care about Secure Boot but have it enabled should either disable Secure Boot or perform extra steps if they want unsigned executables to boot". and select the efisys.bin from desktop and save the .iso Now the Minitool.iso should boot into UEFI with Ventoy. Let the user access their computer (fat chance they're going to remove the heatsink and thermal paste to see if their CPU was changed, especially if, as far as they are concerned, no change as occurred and both the computer appearance and behaviour are indistinguishable from usual). https://github.com/ventoy/Ventoy/releases/tag/v1.0.33, https://www.youtube.com/watch?v=F5NFuDCZQ00, http://tinycorelinux.net/13.x/x86_64/release/. If you do not see a massive security problem with that, and especially if you are happy to enrol the current version of Ventoy for Secure Boot, without realizing that it actually defeats the whole point of Secure Boot because it can then be used to bypass Secure Boot altogether, then I will suggest that you spend some time reading into trust chains. I think it's OK. However, users have reported issues with Ventoy not working properly and encountering booting issues. I installed ventoy-1.0.32 and replace the .efi files. However, I would say that, if you are already running "arbritrary" code in UEFI mode to display a user message, while Secure Boot is enabled, then you should be able to craft your own LoadImage()/StarImage() that doesn't go through SB validation (by copying the LoadImage()/StarImage() code from the EDK2 and removing the validation part). Ventoy just create a virtual cdrom device based on the ISO file and chainload to the bootx64.efi/shim.efi inside the ISO file. For these who select to bypass secure boot. No! And we've already been over whether USB should be treated differently than internal SATA or NVMe (which, in your opinion it should, and which in mine, and I will assert the majority of people who enable Secure Boot, it shouldn't). Forum rules Before you post please read how to get help. for grub modules, maybe I can pack all the modules into one grub.efi and for other efi files(e.g. espero les sirva, pueden usar rufus, ventoy, easy to boot, etc. Although it could be disabled on all typical motherboards in UEFI setup menu, sometimes it's not easily possible e.g. Maybe the image does not support X64 UEFI! So I apologise for that. Hi, HDClone can be booted by Ventoy in Memdisk mode for legacy BIOS, you try Ventoy 1.0.08 beta2. https://osdn.net/projects/manjaro/storage/kde/, manjaro-kde-20.0-rc3-200422-linux56.iso BOOT Most likely it was caused by the lack of USB 3.0 driver in the ISO. Tested on ASUS K40IN Unable to boot properly. Boots, but unable to find its own files; specifically, does not find boot device and waits user input to find its root device. arnaud. Thank you Guid For Ventoy With Secure Boot in UEFI 1All the steps bellow only need to be done once for each computer when booting Ventoy at the first time. Feedback is welcome If your tested hardware or image file is not listed here, please tell me and I will be glad to add it to the table here. Because if I know you ever used Ventoy in a Secure Boot enabled environment, I can now run any malicious payload I want at the UEFI level, on your computer. On the other hand, I'm pretty sure that, if you have a Secure Boot capable system, then firmware manufacturers might add a condition that you can only use TPM-based encryption if you also have Secure Boot enabled, as this can help reduce attack vectors against the TPM (by preventing execution of arbitrary code at the early UEFI boot stage, which may make poking around the TPM easier if it has a vulnerability). Go ahead and download Rufus from here. In a real use case, when you have several Linux distros (not all of which have Secure Boot support), several unsigned UEFI utilities, it's just easier to temporary disable Secure Boot with SUISBD method. FreeBSD 13.1-RELEASE Aarch64 fails to boot saying "No bootfile found for UEFI!". For these who select to bypass secure boot. Maybe the image does not support X64 UEFI. Then Ventoy will load without issue if the secure boot is enabled in the BIOS. All other distros can not be booted. The point is that if a user whitelists Ventoy using MokManager, they are responsible for anything that they then subsequently run using Ventoy. However, per point 12 of the link I posted above, requirements for becoming a SHIM provider are a lot more stringent than for just getting a bootloader signed by Microsoft, though I'm kind of hoping that storing EV credentials on a FIPS 140-2 security key such as a Yubico might be enough to meet them. Currently there is only a Secure boot support option for check. I should also note that the key used in Ventoy is the same used in Super UEFIinSecureBoot Disk, my key. If a user is booting a lot of unsigned bootloaders with Secure Boot enabled, they clearly should disable Secure Boot in their settings, because, for what they are doing, it is pretty much pointless. @steve6375 slax 15.0 boots Already on GitHub? Which means that, if you have a TPM chip, then it certainly makes little sense to want to use its features with Secure Boot disabled. Secure Boot is disabled in the BIOS on both systems, and the ISO boots just fine if I write it directly to a USB stick with Fedora Image Writer. I have the same error with EndeavorOS_Atlantis_neo_21_5.iso using ventoy 1.0.70. the EndeavorOS iso boots with no issues when on it's on usb, but not through ventoy.