Ventoy and Secure-Boot

[PDP-8]

Well, whaddya' know?  Apparently Ventoy supports secure-boot.  I placed this subject here so as not to distract too much.

So I revisited Ventoy and TC.  Well, TinyCorePure64 to be specific.

Sure, I like making my own 64-bit sticks of TC for modern uefi-only hardware, but now that it seems that Ventoy has supported getting past secure boot my interest has been rekindled and will have to do some testing later.

So I did the slacker-install.  Made a Ventoy stick to act as the front end boot.  Copied the TinyCorePure64 iso into it.  And as we all know, that's not enough so a separate stick to hold a fully populated tce directory was created (basically the cde tree renamed to tce).  And during the TC boot menu, I manually edited the kernel paramaters to point to tce rather than cde.  The standard stuff.

Works great so far on my uefi-only machines that already have secure-boot disabled.

Bleary eyes prevent me from going further, so I'll try to make a Ventoy that supports secure-boot, lock down one of my machines, and see how that goes.

That's my main interest, not so much any sort of desire to slack a 64-bit install, or have a distro-hopping stick at the ready - where if it breaks, you get to keep all the pieces and not bug the devs about it. !

We'll see after some good sleep.

[PDP-8]

SUCCESS!!!

I locked down a non-production machine with Secure Boot.  And tested it to make sure it barfed on other distros that would normally boot just fine.  The AMI bios was pretty recent from 2019.  On a machine that is also UEFI-ONLY in addition - no csm/legacy options available.  (secure-boot and uefi are two different issues)

Using Ventoy as the front-end bootloader, with secure-boot support enabled when initially making the ventoy drive, it allowed me to enroll keys and boot the TinyCorePure64 iso without any problems!

This is significant, since TC for me is not just a race to the desktop/browser.  It is more of a research/learning environment that I love.

Being able to slack by just copying an iso into the Ventoy stick was not the main objective.  I can partition, format, and create my own 64 bit sticks just fine.  It was secure-boot that was the main objective to get over.  Seeing TC run on a locked-down box was a tear-jerker.

So for me, Ventoy is a game-changer when it comes to TC.  Binaries and source for both the windows and linux versions are available.  Full discussion of Ventoy is probably best left elsewhere, but just know that it takes just a *little* a-priori Tinycore-Fu, such as creating persistence somewhere else upon which to draw on is necessary for most operations.

I know it's not everyone's cup of tea to use a front-end, but I think this relieves the devs from having to even think or deal with secure-boot on very modern gear, and for that matter any uefi weirdness or hybrid-iso's and the like and can concentrate on TC proper.

So considering the modern hardware circumstances, I think even Roberts might approve.

[gadget42]

For future readers / searchers regarding Ventoy:
Ventoy website URL "https://www.ventoy.net" displays a blank page on non-javascript browsing(Dillo, No-Script, etc)
"https://www.ventoy.net/en/index.html" works(as-of-20211017)

[PDP-8]

To be clear - it should be viewed as a *tool* for getting TC past very strange UEFI or even Secure-Boot and not a wholesale replacement for normal installation routines.

Perhaps a dumpster-diver finds a super modern machine's bios locked down with an administrative password that won't allow for disabling secure-boot.  Ventoy will get you past that so that TC (64 bit) can boot and can rock that fast hardware.

Just know that you'll need to put your persistence TCE directory somewhere else.  By default, Ventoy uses 2 partitions - the second to boot from, and the first to hold iso's and other data.  This first partition is formatted in exFAT by default, and TC does not recognize that format.  This isn't a punishment, but helps accommodate those that may be using WinPE or some other funky setup.  We are free to reformat that 1st partition to our liking if need be.

SO, use a separate device to hold your persistence.  OR, you can reformat that first partition to ext2/3/3/vfat that TC will recognize and put the iso back into that freshly formatted first partition.  You can now point your persistent tce directory there too.  But now you have all your eggs in one basket/stick.  I prefer to keep them separate.

Just be warned - you SHOULD understand a little bit about TC before just blindly trying to distro-hop with Ventoy.  Like how to edit kernel paramaters upon boot to point to persistence to the right place and so forth.

[argenkiwi]

Is there a way to configure TCL to work with Ventoy's Peristence Plugin?

[PDP-8]

Could be, but I see that as an unnecessary complication.

The easiest way to achieve that if you want TC's filesystem to live on the same stick, would be to reformat the 1st partition to ext2/3/4 or vfat, and use that for the tce directory.  Put the TC64 iso back on that reformatted 1st partition if you like, although the latest Ventoy's allow you to browse/navigate to any other filesystem to hunt down the iso.  (F2)

So for me, the use of Ventoy is really not to make an iso multibooter, but merely to provide a more advanced front-end bootloader for those machines that don't recognize the TC64 iso as bootable.

Once booted, all the standard TC options apply according to need.  Use the fromISOfile command either post-boot, or in /opt/bootsync.sh ?  Sure.

Use tce-setdrive to put the tce directory anywhere you want, and build up a system from there?  Sure.

In two cases, I've merely made a Ventoy stick onto micro-sd cards without doing anything else since those ports are rarely used.  But it makes a great front-end bootloader, since once written, it is only read-from when TC64 iso lives on another filesystem internally so I'm not even wearing out the sd-card - even though TC running from ram hardly touches it anyway.

I guess in the end what I'm saying is that there is no one good answer - TC and Ventoy together are so flexible that you simply find out what works for you best.

[gadget42]

ventoy's supported operating system webpage is interesting - ventoy20220325

link(requires javascript to function properly):
https://www.ventoy.net/en/distrowatch.html

20220325-0446am - current page reports 247 operating systems check ok

sharing is caring

[PDP-8]

The best part is that it is NOT a windows-only utility.

Even better is the ability to dd a stand-alone Ventoy boot disk with absolutely no iso's on it since you can merely navigate (F2) to any other supported filesystem to find the TC64 ISO once it boots.

It is a convenient way to solve the "TinycorePure64 doesn't boot on my machine".  Ok, will a Ventoy disk boot?  If so, you are golden, if not, then don't blame TC.

Being able to navigate to other filesystems, rather than being forced to put the iso on the same Ventoy boot stick, is that it is very convenient especially if that filesystem the TC64 iso is on is not fat32, but say ext2/3/4 - whatever you choose to place the iso on in the first place.

The only downside, is that for permanent grub modifications, you have to use the Ventoy json plugin method to do so.  And possibly using the fromISOfile command after boot.

But I imagine that most who need to just fire up TC64 quickly from an iso, won't be permanently modifying their grub.cfg file anyway.

I live mostly in the xfbdev / fltk / flwm environment, but will admit I find it useful to put something like Gparted-Live iso on the Ventoy stick for those times when I need to get down with gparted, and still live happily with a very minimal TC for daily operations.

[gadget42]

was reading some on openzfs:
https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Bullseye%20Root%20on%20ZFS.html

and followed a link referencing grub:
https://savannah.gnu.org/bugs/?46700

and noted this specific thread post:
https://savannah.gnu.org/bugs/?46700#comment12

since we have discussed using ventoy to aid in booting operating systems it seemed appropriate to add it to threads mentioning ventoy and booting

sharing is caring

[gadget42]

also see: http://forum.tinycorelinux.net/index.php/topic,25542.msg164673.html#msg164673

sigh

sharing is caring