[issue]: Unable to proceed with SecureBoot in serial_console mode

[ahussey-redhat]

Official FAQ

• I have checked the official FAQ.

Ventoy Version

1.0.97

What about latest release

Yes. I have tried the latest release, but the bug still exist.

Try alternative boot mode

No. I didn't try these alternative boot modes.

BIOS Mode

UEFI Mode

Partition Style

MBR

Disk Capacity

32GB

Disk Manufacturer

Sandisk

Image file checksum (if applicable)

None

Image file download link (if applicable)

No response

What happened?

I am deploying RHEL on a Dell XR4000w (https://www.dell.com/support/manuals/en-au/poweredge-xr4000w/pexr4000w_ism_pub/witness-host-deployment?guid=guid-a2b82040-42d0-4c1a-a5cd-9b17f44343e3&lang=en-us).

I can successfully do this using a standard RHEL ISO, or by using a standard RHEL ISO + mkksiso to inject a kickstart file, but I would like to use Ventoy as it offers more flexibility.

When it boots from the USB I get the following screen - note that the XR4000w only has a serial console

I attempt to follow the instructions at https://www.ventoy.net/en/doc_secure.html , but get the following error when I press [ENTER]

If I press enter again or the timeout exceeds, the host resets

[ahussey-redhat]

If I quickly press enter it progresses to this:

I can select options, but the selected option isn't highlighted so I have to guess

[ahussey-redhat]

After successful enrolment, everything seems to progress correctly

A question, unrelated to this issue - is it possible for Ventoy to modify the efiboot.img? In this environment the installer falls back to the UEFI config in that image, which means on boot I have to manually edit the boot menu to enable console=ttyS0,115200 . I have already defined the conf_replace files with the appropriate modifications

    "conf_replace": [
        {
            "iso": "/rhel-9.3-x86_64-dvd.iso",
            "org": "/isolinux/isolinux.cfg",
            "new": "/ventoy/isolinux.cfg"
        },
        {
            "iso": "/rhel-9.3-x86_64-dvd.iso",
            "org": "/isolinux/grub.conf",
            "new": "/ventoy/isolinux-grub.conf"
        },
        {
            "iso": "/rhel-9.3-x86_64-dvd.iso",
            "org": "/EFI/BOOT/grub.conf",
            "new": "/ventoy/efi-boot-grub.cfg"
        }
    ]

This is what I have to type in everytime I boot from the USB, even with the above modifications

[catherinedoyel]

The Ventoy secure boot is based off of enrolling a Machine Owner Key (MOK). If someone gets root they can add files from the VTOYEFI partititon and rootkit your machine buy putting some of these files in your EFI system partition. As all Ventoy installations use the same MOK key and do not restrict what other binaries you can boot from. I like to think of the Ventoy secure boot support like a bolt cutter on a pad lock. To remove the key I would get this rpm you do not need to install this package just extract it & get KeyTool.efi from usr/share/efitools/efi put it on your Ventoy with your isos. You can then delete MOK with password 123 if it asks for it.

As for your boot configuration issue I would recommend putting attaching your conf & cfg files to the issue to take a closer look. You wouldn't want to edit the efiboot.img file directly.