Thursday, January 19th 2023

About 300 MSI Motherboard Models Have a Faulty Secure Boot Implementation with Certain UEFI Firmware Versions

by
btarunr
 Discuss (29 Comments)
The UEFI Secure Boot feature is designed to prevent malicious code from executing during the system boot process, and has been a cybersecurity staple since the late-2000s, when software support was introduced with Windows 8. Dawid Potocki, a New Zealand-based IT student and cybersecurity researcher, discovered that as many as 300 motherboard models by MSI have a faulty Secure Boot implementation with certain versions of their UEFI firmware, which allows just about any boot image to load. This is, however, localized to only certain UEFI firmware versions, that are released as beta versions.

Potocki stumbled upon this when he found that his PRO Z790-A WiFi motherboard failed to verify the cryptographic signature boot-time binaries at the time of system boot. "I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not." He then began examining other motherboard models, and discovered close to 300 MSI motherboard models with a broken Secure Boot implementation. He clarified that MSI laptops aren't affected, and only their desktop motherboards are. Potocki says that affected MSI motherboards have an "always execute" policy set for Secure Boot, which makes the mechanism worthless, and theorized a possible reason. "I suspect this is because they probably knew that Microsoft wouldn't approve of it and/or that they get less tickets about Secure Boot causing issues for their users."
Source: The Register

Related News

Add your own comment

29 Comments on About 300 MSI Motherboard Models Have a Faulty Secure Boot Implementation with Certain UEFI Firmware Versions

#1
Space Lynx
Astronaut
Is SecureBoot on by default on new motherboards? Pretty sure mine says off in the BIOS last time I looked, and that was its default status... hmm is this something I should turn on?
Posted on Reply
#2
Selaya
breaking news: snake oil is actually nonfunctional.
duh.
Posted on Reply
#3
Chaitanya
Wont be surprised to find Shitsus having even worse security hole in its overpriced garbage ROG boards thanks to firmware phoning home for Armory crate. Now MSI joins Gigabyte and Asus on boards to avoid leaving ASRock the only options with boards for decent value for money.
Posted on Reply
#4
DrCR
If it’s indeed an issue with only beta firmware, then this feels like a tempest in a thimble. Props to the dude for self marketing I guess.
Posted on Reply
#6
Chomiq
BjørgerssonHow did he test ~300 motherboards?
Find people with various models and ask them to verify?
Posted on Reply
#7
Bjørgersson
ChomiqFind people with various models and ask them to verify?
Fair enough after all. :)
Posted on Reply
#8
ncrs
ChomiqFind people with various models and ask them to verify?
That sounds impractical ;)
I think that an analysis of BIOS update files was performed, especially since the article indicates that only specific versions were affected.
Posted on Reply
#9
bug
DrCRIf it’s indeed an issue with only beta firmware, then this feels like a tempest in a thimble. Props to the dude for self marketing I guess.
I'm on the fence. Betas come with a risk of unknown issues. However if MSI made these available to the public without mentioning SecureBoot is disabled, they could still be in hot water.

These boards could make interesting candidates for running Win11, I guess.
Posted on Reply
#10
thewan
Selayabreaking news: snake oil is actually nonfunctional.
duh.
MSI deliberately made their implementation of secure boot not work on purpose. Its the same as installing a padlock on your gate, but leaving it unlock because you were lazy to lock and unlock it every time you leave your house.
Posted on Reply
#11
AlB80
It's not a bug. It's the feature.
Posted on Reply
#12
Fouquin
ChaitanyaASRock the only options with boards for decent value for money.
But according to some users here ASRock is "only for poors who can't afford better." I don't know who to believe anymore, maybe the entire industry is just shit? :P
Posted on Reply
#13
bug
FouquinBut according to some users here ASRock is "only for poors who can't afford better." I don't know who to believe anymore, maybe the entire industry is just shit? :p
We're down to Asus, MSI, Gigabyte and AsRock. There's no competition anymore, of course everyone will cut corners every now and then. Asus - all about RGB, almost always the most expensive of the bunch, MSI - cheaps out on BIOS size has to remove support for older Zens to enable support for newer ones, Gigabyte - almost no Intel networking, AsRock - nothing special anymore about them, bricked me a motherboard years ago with a misconfigured BIOS. And for all of them, if once some sort of debug LEDs were once present on almost all, but the cheapest motherboards, they're now reserved to the high-end.

Not pretty, but not anything we can do about it either.
Posted on Reply
#14
DeathtoGnomes
The NSA is not happy their hacks were found. :rolleyes:
Posted on Reply
#15
Selaya
thewanMSI deliberately made their implementation of secure boot not work on purpose. Its the same as installing a padlock on your gate, but leaving it unlock because you were lazy to lock and unlock it every time you leave your house.
my point is, secure boot whether actually functional or not, is snake oil regardless and thus of no (actual value)
Posted on Reply
#16
INSTG8R
Vanguard Beta Tester
And here I am on an MSI board I just bought it of necessity and now this…my last BIOS was in April I believe…
Posted on Reply
#17
ThrashZone
Hi,
Install 11 and see what happens hell I use workarounds on all new requirements :cool:
Posted on Reply
#18
TheEndIsNear
ChaitanyaWont be surprised to find Shitsus having even worse security hole in its overpriced garbage ROG boards thanks to firmware phoning home for Armory crate. Now MSI joins Gigabyte and Asus on boards to avoid leaving ASRock the only options with boards for decent value for money.
Yeah I feel ya there right now. I don't know why I got away from asrock. Never had a problem with them and the features for the money are pretty damn good.
Posted on Reply
#19
milewski1015
It takes all of about 15 seconds to boot into BIOS, navigate to Secure Boot settings, and modify the policy for Fixed Media and Removable Media to "Deny Execute". Did it last night. Problem solved. Whether it actually makes a difference or not though remains to be seen.

Link to the list
Posted on Reply
#20
INSTG8R
Vanguard Beta Tester
milewski1015It takes all of about 15 seconds to boot into BIOS, navigate to Secure Boot settings, and modify the policy for Fixed Media and Removable Media to "Deny Execute". Did it last night. Problem solved. Whether it actually makes a difference or not though remains to be seen.

Link to the list
Crap I made the list…I guess I’ll try what you did and hope for the best. I mean I can’t see getting myself in a situation where I’d be vulnerable but…
Posted on Reply
#21
NoneRain
INSTG8RCrap I made the list…I guess I’ll try what you did and hope for the best. I mean I can’t see getting myself in a situation where I’d be vulnerable but…
You already are vulnerable, my friend. You just don't know how, I mean, now you know at least one vul.
Posted on Reply
#22
R-T-B
Selayabreaking news: snake oil is actually nonfunctional.
duh.
It's not snake oil exactly. A lot of techies won't use it but it has use cases. An if it isn't working it is an issue.
Posted on Reply
#23
Juventas
BjørgerssonHow did he test ~300 motherboards?
In his original article he has added this:
I have noticed that some websites have misreported about this issue because they have not fully read my article. This firmware version only affects B450 TOMAHAWK MAX, other motherboards have different versions.
I see this story is everywhere now. Did none of them read the original article? dawidpotocki.com/en/2023/01/13/msi-insecure-boot/
Posted on Reply
#24
aQi
The 300 series faced alot from that of EFI coming from MSI.
My z390 tomahawk still cannot boot from uefi, tried alot of bios versions yet the system kept restarting trying to load windows. Finally kept it aside and saved time with strix z370.
Posted on Reply
#25
BatRastard
I actually discovered MSI's Secure Boot issues in October 2021 when I tried to get enroll Ventoy's MOK Manager to no avail on my B550 A-PRO. The BIOS that shipped with the board was from January and when I updated to AGESA 1.2.0.3c, Secure Boot stopped Ventoy dead. I gave up until I flashed to AGESA 1.2.0.6 and this BIOS triggered a language corruption bug in the BIOS if an ExFat USB was inserted, so I didn't trust testing to see if Ventoy would enroll. Finally, MSI released AGESA 1.2.0.7 in June and later re-released another AGESA 1.2.0.7 in August and this BIOS enrolled Ventoy's MOK Manager right out of the gate. The changelog on these BIOS releases were the same: "Windows 11 Support. Change the default setting for Secure Boot" This is where MSI blanket changed the default policy from "Query User" to "Always Execute" but never said a peep about that in the changelog ...

EDIT: ROFLMAO

MSI_Gaming/comments/10g9v3m
Posted on Reply
Add your own comment
May 21st, 2024 09:38 EDT change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts