Ventoy 1.1.14 Updates Secure Boot Support

Ventoy 1.1.14 updates its Secure Boot shim file to address the UEFI CA 2023 issue, alongside VentoyPlugson changes.

Ventoy 1.1.14 has been released as the latest maintenance update to the popular open-source tool for creating multiboot USB drives, with the main change being an updated Secure Boot shim file, which the project says addresses the UEFI CA 2023 issue.

As we informed you earlier, newer UEFI Secure Boot environments are moving through the Microsoft UEFI CA 2023 transition, and boot tools that depend on older shim handling can face compatibility problems. Ventoy 1.1.14 updates that component, helping the tool remain usable on systems with Secure Boot enabled.

Apart from that, the release updates VentoyPlugson, the web-based tool for configuring Ventoy’s plugin system, which lets users manage configuration options more conveniently instead of editing JSON plugin files manually.

Another related change is the addition of a new global control plugin option named VTOY_SECURE_BOOT_POLICY. According to Ventoy’s documentation, this string option controls the UEFI Secure Boot policy. When set to “0”, Ventoy bypasses the Secure Boot check; when set to “1”, it follows the UEFI Secure Boot policy check. The default value is “0”.

For additional details, refer to the changelog. Users can download Ventoy 1.1.14 from the project’s GitHub release page, where Linux, Windows, and LiveCD builds are available.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

2 Comments

  1. Michael

    I am not 100% sure exactly what does this mean. I have been using ventoy for a few years and its pre-boot UEFI security handling has always been excellent except for a few cases – at least in desktop PC. I will try to get a better understanding of the article but would someone care to explain what does this mean in layman terms?

    1. Ricardo

      The Linux shims, the one used by distros supporting SecureBoot, is signed by Microsoft with a key that expires in a couple of years.
      The new shims, like Ventoy updated, are also signed with a new key (also by Microsoft) released in 2023, hence the moniker “Microsoft UEFI CA 2023”.

      Newer machines come by default with only the new key, so if you try to boot a system with a shim that has only been signed with the old key, the boot will fail.

      Most older machines came with the old key (from 2011 if I recall correctly) but can be updated with the new one, both coexisting. That way you can verify old and new shims.

      Hope that clarified it for you and that I didn’t worsen it 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *