Drive Eraser - All versions
Booting Blancco Drive Eraser fails due to a Secure Boot with a message "Secure Boot – Selected boot image did not authenticate” or “No valid digital signature found, booting stopped by Secure Boot”.
Microsoft has recently released a security update KB5012170 which includes changes to UEFI Secure Boot DBX (Forbidden Signature Database) module. These changes are targeted to fix the security vulnerability known as "There’s a Hole in the Boot" (ADV200011) which allows for Secure Boot bypass.
As part of these changes certain vulnerable UEFI modules are being added to the DBX and this prevents a lot of 3rd party applications from booting successfully on devices with Secure Boot enabled, including Blancco Drive Eraser.
As a workaround, in order to boot Blancco software successfully on a machine which contains this security update the device needs to have:
- Secure Boot disabled
- UEFI mode switched to legacy BIOS mode
For certain devices it may be enough to restore the Secure Boot keys to factory state/reset all Secure Boot keys to platform defaults through the BIOS/UEFI settings.
Long term fix to mitigate this change will be implemented in a future Blancco Drive Eraser release. Once implemented booting Secure Boot enabled devices will be supported.
There is a limited availability release available based on Drive Eraser 7.7.1 (and newer) where this issue is fixed. Contact Blancco Technical Support for more details.
Windows Security update, released on 9th of May, fixes a vulnerability CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability. This Security update affects to Drive Eraser 7.6.0 limited Secure boot version.
Blancco has released Limited Drive Eraser 7.7.1 Secure Boot variant which includes a fix for the Secure Boot issue. Contact Blancco Technical Support for more details.
Introduced a limited availability variant of Drive Eraser 7.6.0 which includes a fix to the Secure Boot issue. Contact Blancco Technical Support for more details.
Update November 2022 - January 2023
Blancco has added some updates on the SHIM and on the application, the Linux community has asked a couple of questions, but still ”in-progress”.
Update November 2022
Blancco submits a new SHIM (as well as an official application) to be signed by Microsoft. This SHIM has to be reviewed by the Linux community first, then by Microsoft. If everything is OK, Microsoft signs the SHIM and Blancco can add it into Blancco Drive Eraser.
This procedure is not in the hands of Blancco and there is no clear ETA on when the Linux community will review the SHIM or when Microsoft will approve it.
Update October 2022
Blancco Development team starts building a new SHIM (binary that is signed by both Microsoft and Blancco, re-enabling the Secure Boot process).