Page 1 of 1

How to get Ventoy working again after Windows update BROKE IT!

Posted: Sun Sep 15, 2024 9:01 am
by HarveyH

For those of you using Ventoy to get your puppies booted on a Secure Boot machine...

The last Windows update added a feature for our "ease of use". It locks out all but modern updated recognized EFI files. In short, unless you are using a modern Debian or Ubuntu, you aint booting Linux on your computer anymore. This locks out Ventoy and I would assume all the Puppies. The computer says, more or less, "DANGER DANGER WILL ROBINSON. Your shim is corrupted " and powers off.

You have three solutions:
1) Disable Secure Boot on your system, period.
2) Disable Secure Boot every time you want to boot Linux and then re-enable it.
3) Perform a little surgery on the VTOYEFI partition.

Here's how to do #3 so you can leave Secure Boot on.
Give the partition a letter using Storage Settings/Advanced/Disks and partitions so Windows can access it. Copy BOOTX64.efi and mmx64.efi from a modern Ubuntu EFI/BOOT folder (Use Winrar to open the Ubuntu.iso file) to the VTOYEFI partition EFI/BOOT folder. Make sure that BOOTX64.EFI stays all in caps. Then rename grub.efi in /EFI/BOOT to grubx64.efi

Summary:
BOOTX64.EFI gets replaced.

mmx64.efi gets added.

grub.efi gets renamed.
-----
Now Ventoy will work again. This may also work on a Puppy install. I did not test it.

Link to the original post on how to patch it is here: https://forum.puppylinux.com/viewtopic.php?t=12655


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Sun Sep 15, 2024 7:14 pm
by Clarity

Hi @HarveyH, thanks for this investigative work!

If you post this thread's link on the Ventoy's forum here, they will address it in Ventoy. The development leader there is attentive, and helpful addressing the quirks as they are reported.

When addressed, users will not need to make changes/exceptions.

They (Ventoy/SG2D authors), over the past year+, are constantly taking steps to address the effort of Secure Boot as Microsoft/Apple continue their efforts with hardware manufacturers.

Hope this helps


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Mon Sep 16, 2024 7:46 am
by HarveyH

I found this on the Ventoy forum

"Ventoy 1.0.99 is the final version, soon longpanda will release another version with many new features.'

So, there you go. 1.0.99 is the final version (too bad) but there is a new version coming soon (Oh, good).

This is my final post on the matter,. I will make more posts on this matter.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Mon Sep 16, 2024 11:55 am
by wiak

Final post or not prior to new one... did you try any of this since using Secure Boot?

https://www.ventoy.net/en/doc_secure.html

which is about enrolling Ventoy shim into MOK I believe


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Mon Sep 16, 2024 3:08 pm
by nilsonmorales

Hello and thank you, please can you share the boot ubuntu iso files here please.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Tue Sep 17, 2024 9:22 am
by HarveyH
nilsonmorales wrote: Mon Sep 16, 2024 3:08 pm

Hello and thank you, please can you share the boot ubuntu iso files here please.

https://ubuntu.com/download/desktop


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Tue Sep 17, 2024 9:41 am
by HarveyH
wiak wrote: Mon Sep 16, 2024 11:55 am

Final post or not prior to new one... did you try any of this since using Secure Boot?

https://www.ventoy.net/en/doc_secure.html

which is about enrolling Ventoy shim into MOK I believe

Well, yes of course. That's how I got Ventoy to boot long before the Windows update. The problem is that *after* the update, The system refuses to even *try* to boot (a working!) Ventoy (along with any non-Modern-Ubuntu Linux). All you get is a little message about the shim being corrupted and the computer reboots. It doesn't even start to boot anything. No message about system policy, no [OK] button to enroll a key; just that quick message about a corrupted shim and a reboot.

After replacing those two files and renaming that grub.efi file, Ventoy boots again. From what I have read, it seems that before the update, the firmware would boot efi files without regard to their age*. Then you would get that screen about system policy and the [OK] where you could enroll a key. After the update, the system takes one look at the booting efi files and aborts if they aren't modern MS-signed efi file like Ubuntu's. Ventoy is not Ubuntu, so it wont work. What the hack does is make the system *think* it's Ubuntu booting (or at least a modern MS-approved Linux which Ventoy is NOT).

I dunno I'm just guessing here. 75% chance I'm wrong. Somebody who knows for sure, teach us.

* Some of the webpages on this subject remark that the Windows update reprograms the motherboard or the UEFI chip or something to reject all but the newest signed Linuxes. There seems to have been a security flaw with the older ones.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 1:48 pm
by HarveyH

If you don't like Ventoy, YUMI has Ventoy under the hood and can do some cool tricks. You still need to do the "Ventoy Hack" though.

https://pendrivelinux.com/yumi-multiboot-usb-creator/

UPDATE: It has Ventoy under the hood because it *is* Ventoy. lol See my post below


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 2:37 pm
by HarveyH

I'll be dipped. After looking around, I see that Yumi is Ventoy 1.0.99 all pimped out. It *is* Ventoy.
I downloaded the ventoy 1.0.99 zip file and put all the stuff into the ventoy folder in YUMI. Nothing got overridden since all that's in there now is th Yumi theme and the json file.

YUMI is a pretty version of Ventoy 1.0.99.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 2:39 pm
by wiak
HarveyH wrote: Tue Sep 17, 2024 9:41 am

After the update, the system takes one look at the booting efi files and aborts if they aren't modern MS-signed efi file like Ubuntu's. Ventoy is not Ubuntu, so it wont work. What the hack does is make the system *think* it's Ubuntu booting (or at least a modern MS-approved Linux which Ventoy is NOT).
...
* Some of the webpages on this subject remark that the Windows update reprograms the motherboard or the UEFI chip or something to reject all but the newest signed Linuxes. There seems to have been a security flaw with the older ones.

Yes, I have no doubt Microsoft is 'improving' the UEFI BIos security firmware such that older shim hacks will not work. Also, yes, you are using Microsoft signed latest Ubuntu EFI files so all works fine thereafter for Ventoy to boot using these - well at least from usb removable flash stick. I haven't yet tried, but really I'm more interested/curious to know if will also still allow non-Ubuntu distros to boot (such as Puppy Linux) when from internal drive rather than usb stick since I know from the past usb stick security was not so rigidly enforced for some reason or other.

In fact, nothing to do with Ventoy per se, but the latest Microsoft UEFI update scenario is likely to effect my own machine when I next update my distro, which as I said is Linux Mint. Since that is based on Ubuntu underneath it will of course boot using the new shim situation, but I will have to check if my other distros will boot okay still thereafter. I'll post back here once I know, but don't know when that will be.

The reason there could be a difficulty is that Ubuntu grub EFI files may only be the start of the trust chain involved - if a signed Ubuntu kernel is needed then some of my distros will not boot. In practice that chain of trust can sometimes just be up to grub finding vmlinuz, but could be much more stringent if arranged to be so. We will see.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 2:42 pm
by wiak
HarveyH wrote: Wed Sep 18, 2024 2:37 pm

I'll be dipped. After looking around, I see that Yumi is Ventoy 1.0.99 all pimped out. It *is* Ventoy.
I downloaded the ventoy 1.0.99 zip file and put all the stuff into the ventoy folder in YUMI. Nothing got overridden since all that's in there now is th Yumi theme and the json file.

YUMI is a pretty version of Ventoy 1.0.99.

Yes, it says so on YUMI website:

YUMI exFAT utilizes a bootloader based on Ventoy2Disk along with a custom YUMI theme and configuration enabling you to use advanced Ventoy boot methods with YUMI's helpful front end. Making it easy to find new distributions to download and try.

A bit odd right enough is that they say 'based on' rather than just 'is'; is there a difference somewhere?


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 2:48 pm
by HarveyH
wiak wrote: Wed Sep 18, 2024 2:39 pm

The reason there could be a difficulty is that Ubuntu grub EFI files may only be the start of the trust chain involved - if a signed Ubuntu kernel is needed then some of my distros will not boot. In practice that chain of trust can sometimes just be up to grub finding vmlinuz, but could be much more stringent if arranged to be so. We will see.

You, know, this could all be avoided if MS would add a simple addition to the UEFI firmware. Instead of that "Your shim is borked-up"/power down crap, it could just pop up a warning:

"I don't recognize the shim. It could be malware. If you want to boot this device, type the master password from your BIOS".

"Are you *SURE* you want to boot it? It might be malware. (Y/N)"

"Last Chance! (Y/N)"


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 3:06 pm
by HarveyH
wiak wrote: Wed Sep 18, 2024 2:42 pm

Yes, it says so on YUMI website:

LMAO. Dude thinks I read the docs.

YUMI exFAT utilizes a bootloader based on Ventoy2Disk along with a custom YUMI theme and configuration enabling you to use advanced Ventoy boot methods with YUMI's helpful front end. Making it easy to find new distributions to download and try.

A bit odd right enough is that they say 'based on' rather than just 'is'; is there a difference somewhere?
[/quote]

Yes, there is a huge difference in the installer. You can run it to automagically download and add ISOs or remove ISOS. It will also create the persistence file(s) for you. The main boot menu has fancy options. It is Ventoy ... but pimped-out. Like Mint is "based on" Ubuntu, but much nicer.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Wed Sep 18, 2024 3:23 pm
by wiak
HarveyH wrote: Wed Sep 18, 2024 3:06 pm
wiak wrote: Wed Sep 18, 2024 2:42 pm

Yes, it says so on YUMI website:

LMAO. Dude thinks I read the docs.

:D

But... very many like to hack and proudly claim they never read the docs. I suppose we are all guilty of this sometimes.

However... An engineer generally actually always reads every word and sentence of every doc and with good reason. Not doing so means you don't really know the system as well as you could and as an engineer it is their job to understand the system inside out. Admittedly, we become obsessed with the detail in the docs such that in family life when a new device is bought and most of my family want to just plug it in and see if it works, I always want them to stop and read the install/run instructions provided first. Often it doesn't matter, but sometimes it does. Computer operating systems are complex - Linux is not plug and play (so they claim) Windows - so reading the docs, the man pages, the details in the likes of Arch Linux Wiki is the road to Linux perfection. KL distros exist because FirstRib initrd, which is at the heart of these, was created following detailed reading of the docs (including kernel docs concerning overlay filesystem). But okay, the suck and see approach works sometimes, but the engineering approach of first reading everything needed tends more usually to result in faster more perfect results. Often the very wheel that is being reinvented is already covered and explained in the docs - if only someone had read them. A case in point with Ventoy is the already provided mechanism in Ventoy for booting normal frugal installed distros (rather than isos or image files) - the creation of a simple text file per 'the docs' is enough to do that; some, who did not read the Ventoy docs, basically spent a lot of unneeded time messing with the internal grub2 scripts to effect the same thing... wasn't necessary.


Re: How to get Ventoy working again after Windows update BROKE IT!

Posted: Thu Sep 19, 2024 9:31 am
by HarveyH

@wiak

That wasn't pride. It was self-depreciation.