Probably you didn't delete the file completely but to the recycle bin. I suspect that, even as we are not there yet, this is something that we're eventually going to see (but most likely as a choice for the user to install the fully secured or partially secured version of the OS), culminating in OSes where every single binary that runs needs to be signed, and for the certificates those binaries are signed with to be in the chain of trust of OS. No bootfile found for UEFI! Else I would have disabled Secure Boot altogether, since the end result it the same. The MISO_EFI partition contains only 1 folder called "efi" and another folder in it called "boot" which contains a single file called "bootx64.efi.". Link: https://www.mediafire.com/file/5zui8pq5p0p9zug/Windows10_SuperLite_TeamOS_Edition.iso/file And that is the right thing to do. ubuntu-20.10-desktop-amd64.iso everything is fine If instead I try to install the ISO ubuntu-22.04.1-desktop-amd64.iso I get the following error message: "No bootfile found for UEFI! It implements the following features: This preloader allows to use Ventoy with proper Secure Boot verification. I test it in a VirtualMachine (VMWare with secure boot enabled). Currently there is only a Secure boot support option for check. Maybe we should just ask the user 'This file is not signed by Microsoft for 'Secure Boot' - do you still wish to boot from it?' But Ventoy currently does. What's going on here? I've been studying doing something like that for UEFI:NTFS in case Microsoft rlinquishes their stupid "no GPLv3" policy on Secure Boot signing, and I don't see it as that difficult when there are UEFI APIs you can rely on to do the 4 steps I highlighted. Users enabled Secure Boot to be warned if a boot loader fails Secure Boot validation, regardless of where that bootloader is executed from. Ubuntu.iso). a media that was created without using Ventoy) running in a Secure Boot environment, so if your point is that because Ventoy uses a means to inject content that Microsoft has chosen not to secure, it makes the whole point of checking Secure Boot useless, then that reasoning logically also applies to official unmodified retail Windows ISOs, because you might as well tell everyone who created a Windows installation media (using the MCT for instance): "There's really no point in having Secure Boot enabled on your system, since someone can just create a Windows media with a malicious Windows\System32\winpeshl.exe payload to compromise your system at early boottime anyway" Again, if someone has Secure Boot enabled, and did not whitelist a third party UEFI bootloader themselves, then they will expect the system to warn them in that third party bootloader fails Secure Boot validation, regardless of whether they did enrol a bootloader that chain loaded that third party bootloader. Maybe the image does not support X64 UEFI. Installation & Boot. They all work if I put them onto flash drives directly with Rufus. Now Rufus has achieved support for secure boot as now NTFS:UEFI Driver is signed for secure boot by Microsoft. https://github.com/ventoy/Ventoy/releases/tag/v1.0.33, https://www.youtube.com/watch?v=F5NFuDCZQ00, http://tinycorelinux.net/13.x/x86_64/release/. These WinPE have different user scripts inside the ISO files. Set the VM to UEFI mode and connect the ISO file directly to the VM and boot. The file size will be over 5 GB. Google for how to make an iso uefi bootable for more info. Does the iso boot from s VM as a virtual DVD? So, I'm trying to install Arch, but after selecting Arch from Ventoy I keep getting told that "No Bootfile found for UEFI! 22H2 works on Ventoy 1.0.80. They boot from Ventoy just fine. @ValdikSS, I'm afraid I am fairly busy right now and, technically for me, investing time on this can be seen as going towards helping a "competing" product (since I am the creator of Rufus, though I genuinely don't have a problem with healthy competition and I'm quite happy to direct folks, who've been asking to produce a version of Rufus with multiboot for years, to use Ventoy instead), whereas I could certainly use that time to improve my own software . In Ventoy I had enabled Secure Boot and GPT. EFI Blocked !!!!!!! Vmware) with UEFI mode and to confirm that the ISO file does support UEFI mode. If you have a faulty USB stick, then youre likely to encounter booting issues. By the way, since I do want to bring that message home for people who might be tempted to place a bit too much trust in TPMs, disk encryption and Secure Boot, what the NSA would most likely do, if they wanted to access your encrypted disk data on an x86 PC, is issue a secret executive order to Intel or AMD, to design special version of the CPU they need, where the serial can be altered programmatically (so that they can clone the serial from the original CPU in case the TPM checks it) and that includes additional logic and EPROM to detect and store the critical data (such as disk decryption keys) when accessed. Getting the same error as @rderooy. This means current is 32bit UEFI mode. This ISO file doesn't change the secure boot policy. It means that the secure boot solution doesn't work with your machine, so you need to turn off the option, and disable secure boot in the BIOS. The only way to prevent misuse when booting from USB is to set a BIOS password (and perhaps a boot password), set the BIOS to not boot from USB and it won't hurt to also use an encrypted filesystem for the OS on the hard disk (bitlocker/LUKS). 1.0.84 IA32 www.ventoy.net ===> Thank you very much for adding new ISOs and features. There are two bugs in Ventoy: Unsigned bootloader Linux ISOs or ISOs without UEFI support does not boot with Secure Boot enabled. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); If you have a tech problem, we probably covered it! I tested it but trying to boot it will fail with an I/O error. Tested on ASUS K40IN Maybe the image does not support X64 UEFI! Option 2 will be the default option. Minor one: when you try to start unsigned .efi executable, error message is shown for a very brief time and quickly disappears. VMware or VirtualBox) unsigned kernel still can not be booted. privacy statement. The user could choose to run a Microsoft Windows Install ISO downloaded from the MS servers and Ventoy could inject a malicious file into it as it boots. Many thanks! Google for how to make an iso uefi bootable for more info. I didn't try install using it though. unsigned kernel still can not be booted. Most of modern computers come with Secure Boot enabled by default, which is a requirement for Windows 10 certification process. Can it boot ok? Remove Ventoy secure boot key. Worked fine for me on my Thinkpad T420. You can't just convert things to an ISO and expect them to be bootable! Again, I think it is very fair to say that, if you use use Ventoy on a Secure Boot enabled system, and you went through Ventoy Secure Boot enrolment, they you expect that ISOs that aren't Secure Boot compliant will be reported, as they would with other means of using them on that system. my pleasure and gladly happen :) Some bioses have a bug. Maybe because of partition type The point of this issue is that people are under the impression that because Ventoy supports Secure Boot, they will get the same level of "security" booting Secure Boot compliant media through Ventoy as if they had booted that same media directly, which is indeed a fair expectation to have, since the whole point of boot media creation software is to have the converted media behave as close as possible as the original would. git clone git clone Download ventoy-delete-key-1..iso and copy it to the Ventoy USB drive. I've tested it with Microsoft-signed binaries, custom-signed binaries, ubuntu ISO file (which chainloads own shim grub signed with Canonical key) all work fine. | 5 GB, void-live-x86_64-20191109-xfce.iso | 780 MB, refracta10-beta5_xfce_amd64-20200518_0033.iso | 800 MB, devuan_beowulf_3.0.0_amd64_desktop-live.iso | 1.10 GB, drbl-live-xfce-2.6.2-1-amd64.iso | 800 MB, kali-linux-2020-W23-live-amd64.iso | 2.88 GB, blackarch-linux-live-2020.06.01-x86_64.iso | 14 GB, cucumber-linux-1.1-x86_64-basic.iso | 630 MB, BlankOn-11.0.1-desktop-amd64.iso | 1.8 GB, openmamba-livecd-en-snapshot-20200614.x86_64.iso | 1.9 GB, sol-11_3-text-x86.iso | 600 MB And of course, people expect that if they run UEFIinSecureBoot or similar software, whose goal is explicitly stated as such, it will effectively remove Secure Boot. Ventoy 1.0.55 is available already for download. It's a pain in the ass to do yes, but I wouldn't qualify it as very hard. Secure Boot is tricky to deal with and can (rightfully) be seen as a major inconvenience instead of yet another usually desireable line of defence against malware (but by all means not a panacea). Linux distributives use Shim loader, each distro with it's own embedded certificate unique for each distro. Tested below ISOs on HP ENVY x360- 13-ag0007au (1st-gen Ryzen Mobile convertible laptop, BIOS F.46 Rev.A) with Ventoy 1.0.08 final release in UEFI secure boot mode: Nice job and thanks a lot for this neat tool! Ventoy2Disk.exe always failed to update ? Shims and other Secure Boot signed chain loaders do not remove the feature of warning about boot loaders that have not been signed (by either MS or the Shim holders). I can provide an option in ventoy.json for user who want to bypass secure boot. accomodate this. You can use these commands to format it: Another issue about Porteus and Aporteus : if we copy ISO via dd or other tools or copy ISO contents to EFI partition of USB work perfectly in UEFI. Can't try again since I upgraded it using another method. You were able to use TPM for disk encryption long before Secure Boot, and rightfully so, since the process of storing and using data encryption keys is completely different from the process of storing and using trust chain keys to validate binary executables (being able to decrypt something is very different from being able to trust something). Now that Ventoy is installed on your USB drive, you can create a bootable USB drive by simply copying some ISO files onto the USB, no matter if they are Linux distribution ISOs or Windows 10 / 8 / 7 ISO files. Some known process are as follows: maybe that's changed, or perhaps if there's a setting somewhere to Yes. I downloaded filename Win10_21H2_BrazilianPortuguese_x64.iso Please thoroughly test the archive and give your feedback, what works and what don't. For Hiren's BootCD HBCD_PE_x64.iso has been tested in UEFI mode. Google for how to make an iso uefi bootable for more info. Now, that one can currently break the trust chain somewhere down the line, by inserting a malicious program at the first level where the trust stops being validated, which, incidentally, as a method (since I am NOT calling Ventoy malicious here) is very similar to what Ventoy is doing for Windows boot, is irrelevant to the matter, because one can very much conceive an OS that is being secured all the way (and, once again, if Microsoft were to start doing just that, then that would most likely mark the end of being able to use Ventoy with Windows ISOs since it would no longer be able to inject an executable that isn't signed by Microsoft as part of the boot process) and that validates the signature of every single binary it runs along the way which means that the trust chain needs to start somewhere and (as far as user providable binaries are concerned) that trust chain starts with Secure Boot. How did you get it to be listed by Ventoy? I didn't add an efi boot file - it already existed; I only referenced Currently, on x64 systems, Ventoy is able to run when Secure Boot is enabled, through the use of MokManager to enroll the certificate with which Ventoy's EFI executable is signed. Do I need a custom shim protocol? @pbatard, if that's what what your concern, that could be easily fixed by deleting grubia32.efi and grubx64.efi in /EFI/BOOT, and renaming grubia32_real.efi grubia32.efi, grubx64_real.efi grubx64.efi. privacy statement. If so, please include aflag to stop this check from happening! As Ventoy itself is not signed with Microsoft key. For me I'm missing Hiren's Boot CD (https://www.hirensbootcd.org/) - it's WindowsPE based and supports UEFI from USB. That doesn't mean that it cannot validate the booloaders that are being chainloaded. A lot of work to do.
ventoy maybe the image does not support x64 uefi