Original topic:

Secure Erase USB boot failure

(Topic created: 2 weeks ago)
402 Views
Members_euZ6bhQ
Constellation
Options
Computers

Hi;

I just tried to secure erase a Samsung SATA attached SSD. I went in to Samsung Magician 8.2 (under Windows 11) and created a Linux Bootable USB for UEFI (as I normally boot Windows 11 through UEFI with Secure Boot enabled).

Trying to boot the USB key created fails the same way on two different systems.

The boot process powers off my system(s) after reporting:

"Verifying shim SBAT data failed: Security Policy Violation..."

I have other UEFI software boot USBs that work just fine (a Linux Rocky Live USB, Macrium Reflect bootable USB, etc.) on both systems (in UEFI with Secure boot enabled).

So it looks like this is something peculiar to the Samsung Boot USB that's being created.

I assume I could try to enable 'Legacy Boot' in the BIOS (and create the BIOS boot version of the USB) but I would rather not do that unless I have to since that's not going to make Windows 11 boot very happy.

Anyone know if Samsung is aware of this deficiency? Any place that Samsung provides a direct download to a working secure erase USB image?

0 Likes
4 Replies
3Fees
Red Giant
Options
Computers
To boot off usb drive one needs to start the " boot menu " by f8 key or similar key and then select from the boot menu the device you want boot from.

The order of booting is in the bios, can bypass though by getting to the boot menu. If that's what your are doing then your boot files or startup files are corrupt, also format the usb first in fat 32, then load in your boot files with the secure erase program for windoze program.

Cheers
3Fees
0 Likes
Members_euZ6bhQ
Constellation
Options
Computers

> If that's what your are doing then your boot files or startup files are corrupt

I think this is definitely a problem with the USB image being created by Samsung Magician, as this is secure boot related. (Too bad Magician won't or can't do the secure erase from Windows directly).

If I create the UEFI version of the USB (using Magicians own process) then this will not boot with secure boot enabled.

If I I disable 'secure boot' in the BIOS (which took me a while to figure out how to do), it will now boot fine (albeit without Secure boot).

This is using the same physical media with no changes to it between not working (secure boot enabled in BIOS) and working (secure boot disabled in BIOS).

If I put my system in to 'CSM compatibility mode' and have Magician  create the BIOS version of the USB, then that also boots without apparent issue using the same physical USB drive.

And, if I use any number of other UEFI bootable USBs while Secure boot is enabled then these all boot fine.

I have only tried disabling secure boot on one of the two systems I tried as I am not wanting to mess around too much in the BIOS enabling/disabling secure boot. But I bet the Samsung UEFI image would also boot fine on my other system if I disabled secure boot.

Maybe it's not the same thing, but I vaguely recall that sometime in the last year or two a change was made to secure boot that required people making bootable UEFI images to make a change to be compatible with secure boot.

I would not be surprised if Samsung just failed to update their image with the needed change.

Has anyone else created the UEFI bootable USB (through Magician) and had it successfully boot on a system with Secure boot enabled?

0 Likes
3Fees
Red Giant
Options
Computers
Strange usually a Bootable usb with uefi does not have issues with secure boot.

Cheers
3Fees
0 Likes
Members_euZ6bhQ
Constellation
Options
Computers

Although this is targeted at dual-boot systems, the link at https://umatechnology.org/fix-verifying-shim-sbat-data-failed-security-policy-violation-linux-dual-b... mentions the error I'm seeing (when using secure boot).

In general, it appears to be an issue with 'security checks' failing trying to load Linux.

This is possibly related to the MS update such as seen at https://support.microsoft.com/en-us/topic/august-13-2024-kb5041571-os-build-26100-1457-d218c08d-8de2...

Here it mentions:

"[Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image."

I'm not totally sure this is the cause (again because I'm not really dual booting in the traditional sense of two partitions on one drive), but it sounds like it's definitely in the area.

If so, Samsung needs to make an update for this to be compatible.

0 Likes