A firmware update made Secure Boot useless for hundreds of MSI motherboards

Alfonso Maruccia

Posts: 193   +92
Staff
Why it matters: Secure Boot is a technology designed to protect the PC boot chain and avoid running a tampered operating system. A firmware update released by MSI, however, changed the feature settings so that any OS image could run regardless of its legitimacy.

According to a young security researcher, MSI last year released a firmware update which made many of its motherboards less secure than they should have been.

First discovered by Dawid Potocki, a "student interested in FOSS and technology," the issue concerns the Secure Boot feature on a significant number of MSI motherboards. Secure Boot is designed to make sure that a device boots using only software that is trusted by the OEM manufacturer, Microsoft explains.

When the PC starts, the firmware checks the signature of each piece of boot software (UEFI firmware drivers, EFI applications, the operating system). If the signatures are valid, the PC boots and the firmware gives control back to the operating system.

To work as intended, Secure Boot must be enabled and configured in a way that the booting process will accept operating systems with valid signatures only. Starting with a firmware update introduced at the beginning of 2022, Potocki discovered, MSI decided to change the Secure Boot default configuration to "accepting every OS image I gave it, no matter if it was trusted or not."

Potocki says he discovered the issue while setting up Secure Boot on his new desktop PC with the help of sbctl. He self-signed the Secure Boot process, but the UEFI firmware was booting every OS regardless of the signature. The firmware update changed a Secure Boot setting named "Image Execution Policy," which was set to "Always Execute" rather than "Deny Execute" as it should have been.

With no signature verification and enforcing, Secure Boot is essentially useless even when it's enabled. Potocki was able to trace the insecure default settings to firmware version 7C02v3C, an update released by MSI for the B450 TOMAHAWK MAX motherboard on January 18, 2022. The total number of affected motherboards is over 290, both for Intel and AMD processors.

Even though Secure Boot can be made effective again by just changing the Image Execution Policy options to "Deny Execute," MSI has yet to issue a statement about the reason for turning off an important security feature for a large number of consumer motherboards.

Permalink to story.

 

Julnor

Posts: 68   +79
Secureboot is useless, it basically just forces you to use Windows. That's all it does. It's not going to prevent spyware or any other security issues with Windows either. It makes no sense as a feature. If you're installing your OS you know what you're installing already, if you aren't installing it you probably just have a preloaded MS OS and won't touch the BIOS.
 

human7

Posts: 152   +131
Secureboot is useless, it basically just forces you to use Windows. That's all it does. It's not going to prevent spyware or any other security issues with Windows either. It makes no sense as a feature. If you're installing your OS you know what you're installing already, if you aren't installing it you probably just have a preloaded MS OS and won't touch the BIOS.

In general, Windows uses it the most and there are concerns about secure boot locking out other OSes, but you can use it with Linux. Like with most things in Linux, it's not as user friendly, more of the "here's your cake, now go compile it yourself" variety. Or, in this case, configure. Part of the problem is that there are so many Linux distros, it would be impractical to have trusted keys for every single one. Once configured, it's primary usecase seems to be (apart from showing that your software is the same as when it was signed) when using the TPM for full disk encryption and you don't want to reconfigure the TPM every time you do a kernel update, as this user details: https://pawitp.medium.com/the-correct-way-to-use-secure-boot-with-linux-a0421796eade.
 

Theinsanegamer

Posts: 3,957   +7,003
In general, Windows uses it the most and there are concerns about secure boot locking out other OSes, but you can use it with Linux. Like with most things in Linux, it's not as user friendly, more of the "here's your cake, now go compile it yourself" variety. Or, in this case, configure. Part of the problem is that there are so many Linux distros, it would be impractical to have trusted keys for every single one. Once configured, it's primary usecase seems to be (apart from showing that your software is the same as when it was signed) when using the TPM for full disk encryption and you don't want to reconfigure the TPM every time you do a kernel update, as this user details: https://pawitp.medium.com/the-correct-way-to-use-secure-boot-with-linux-a0421796eade.
How convenient that the Microsoft created "secure boot" is a PITA to make work with linux. I'm sure that wasnt intentional....
 

Bullwinkle M

Posts: 849   +767
How convenient that the Microsoft created "secure boot" is a PITA to make work with linux. I'm sure that wasnt intentional....

So......Microsoft tried to kill or subvert Linux "by accident" before finally pretending to have a Peaceful Co-Existence?

So......Intel accidentally put a conditional Kill Switch in their motherboards that can prevent end users from running any specific Operating Systems of their choosing at any future time and date they like?
(I own one and triggered the kill switch ON VIDEO! - No more XP for YOU!)

So......Microsoft murdered Windows XP on purpose?
And they call valid copies of XP that came directly from Microsoft "Non-Genuine" by accident if they do not include Microsofts Genuine Disadvantage Malware?

So......Windows 8.1 Trial installers that add a rootkit to your boot drive, preventing re-installs of Windows XP unless you 1st run killdisk on the drive is just another accident?

And I suppose UEFI firmware preventing Windows XP installs is just ANOTHER accident?

Man they sure are unlucky

And WOW, I sure do LOVE my Native Boot XP machines!
 

Mr Majestyk

Posts: 1,564   +1,470
Oh my god, how do all us poor plebs on older non tpm 2 MB's sleep at night, knowing we aren't secure. I'm only installing a windows 11 on a test machine that has TPM check disabled. It will be just as secure as my win 10 is currently.

Can M$ prove win 11 is suffering less from malicious software than 10?
 

toooooot

Posts: 1,827   +983
I rediscovered secure boot with a new motherboard. Fifa 23 would not run unless it was enabled. I wish it was not there at all.