About 300 MSI Motherboard Models Have a Faulty Secure Boot Implementation with Certain UEFI Firmware Versions

[btarunr]

The UEFI Secure Boot feature is designed to prevent malicious code from executing during the system boot process, and has been a cybersecurity staple since the late-2000s, when software support was introduced with Windows 8. Dawid Potocki, a New Zealand-based IT student and cybersecurity researcher, discovered that as many as 300 motherboard models by MSI have a faulty Secure Boot implementation with certain versions of their UEFI firmware, which allows just about any boot image to load. This is, however, localized to only certain UEFI firmware versions, that are released as beta versions.

Potocki stumbled upon this when he found that his PRO Z790-A WiFi motherboard failed to verify the cryptographic signature boot-time binaries at the time of system boot. "I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not." He then began examining other motherboard models, and discovered close to 300 MSI motherboard models with a broken Secure Boot implementation. He clarified that MSI laptops aren't affected, and only their desktop motherboards are. Potocki says that affected MSI motherboards have an "always execute" policy set for Secure Boot, which makes the mechanism worthless, and theorized a possible reason. "I suspect this is because they probably knew that Microsoft wouldn't approve of it and/or that they get less tickets about Secure Boot causing issues for their users."



View at TechPowerUp Main Site | Source

 

[Space Lynx]

Is SecureBoot on by default on new motherboards? Pretty sure mine says off in the BIOS last time I looked, and that was its default status... hmm is this something I should turn on?

 

[Selaya]

breaking news: snake oil is actually nonfunctional.
duh.

 

[Chaitanya]

Wont be surprised to find Shitsus having even worse security hole in its overpriced garbage ROG boards thanks to firmware phoning home for Armory crate. Now MSI joins Gigabyte and Asus on boards to avoid leaving ASRock the only options with boards for decent value for money.

 

[DrCR]

If it’s indeed an issue with only beta firmware, then this feels like a tempest in a thimble. Props to the dude for self marketing I guess.

 

[Bjørgersson]

How did he test ~300 motherboards?

 

[Chomiq]

How did he test ~300 motherboards?

Find people with various models and ask them to verify?

 

[Bjørgersson]

Find people with various models and ask them to verify?

Fair enough after all.

 

[ncrs]

Find people with various models and ask them to verify?

That sounds impractical
I think that an analysis of BIOS update files was performed, especially since the article indicates that only specific versions were affected.

 

[bug]

If it’s indeed an issue with only beta firmware, then this feels like a tempest in a thimble. Props to the dude for self marketing I guess.

I'm on the fence. Betas come with a risk of unknown issues. However if MSI made these available to the public without mentioning SecureBoot is disabled, they could still be in hot water.

These boards could make interesting candidates for running Win11, I guess.

 

[thewan]

breaking news: snake oil is actually nonfunctional.
duh.

MSI deliberately made their implementation of secure boot not work on purpose. Its the same as installing a padlock on your gate, but leaving it unlock because you were lazy to lock and unlock it every time you leave your house.

 

[AlB80]

It's not a bug. It's the feature.

 

[Fouquin]

ASRock the only options with boards for decent value for money.

But according to some users here ASRock is "only for poors who can't afford better." I don't know who to believe anymore, maybe the entire industry is just shit?

 

[bug]

But according to some users here ASRock is "only for poors who can't afford better." I don't know who to believe anymore, maybe the entire industry is just shit?

We're down to Asus, MSI, Gigabyte and AsRock. There's no competition anymore, of course everyone will cut corners every now and then. Asus - all about RGB, almost always the most expensive of the bunch, MSI - cheaps out on BIOS size has to remove support for older Zens to enable support for newer ones, Gigabyte - almost no Intel networking, AsRock - nothing special anymore about them, bricked me a motherboard years ago with a misconfigured BIOS. And for all of them, if once some sort of debug LEDs were once present on almost all, but the cheapest motherboards, they're now reserved to the high-end.

Not pretty, but not anything we can do about it either.

 

[DeathtoGnomes]

The NSA is not happy their hacks were found.

 

[Selaya]

MSI deliberately made their implementation of secure boot not work on purpose. Its the same as installing a padlock on your gate, but leaving it unlock because you were lazy to lock and unlock it every time you leave your house.

my point is, secure boot whether actually functional or not, is snake oil regardless and thus of no (actual value)

 

[INSTG8R]

And here I am on an MSI board I just bought it of necessity and now this…my last BIOS was in April I believe…

 

[ThrashZone]

Hi,
Install 11 and see what happens hell I use workarounds on all new requirements

 

[TheEndIsNear]

Wont be surprised to find Shitsus having even worse security hole in its overpriced garbage ROG boards thanks to firmware phoning home for Armory crate. Now MSI joins Gigabyte and Asus on boards to avoid leaving ASRock the only options with boards for decent value for money.

Yeah I feel ya there right now. I don't know why I got away from asrock. Never had a problem with them and the features for the money are pretty damn good.

 

[milewski1015]

It takes all of about 15 seconds to boot into BIOS, navigate to Secure Boot settings, and modify the policy for Fixed Media and Removable Media to "Deny Execute". Did it last night. Problem solved. Whether it actually makes a difference or not though remains to be seen.

Link to the list

 

[INSTG8R]

It takes all of about 15 seconds to boot into BIOS, navigate to Secure Boot settings, and modify the policy for Fixed Media and Removable Media to "Deny Execute". Did it last night. Problem solved. Whether it actually makes a difference or not though remains to be seen.

Link to the list

Crap I made the list…I guess I’ll try what you did and hope for the best. I mean I can’t see getting myself in a situation where I’d be vulnerable but…

 

[NoneRain]

Crap I made the list…I guess I’ll try what you did and hope for the best. I mean I can’t see getting myself in a situation where I’d be vulnerable but…

You already are vulnerable, my friend. You just don't know how, I mean, now you know at least one vul.

 

[R-T-B]

breaking news: snake oil is actually nonfunctional.
duh.

It's not snake oil exactly. A lot of techies won't use it but it has use cases. An if it isn't working it is an issue.

 

[Juventas]

How did he test ~300 motherboards?

In his original article he has added this:

I have noticed that some websites have misreported about this issue because they have not fully read my article. This firmware version only affects B450 TOMAHAWK MAX, other motherboards have different versions.

I see this story is everywhere now. Did none of them read the original article? https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/

 

[aQi]

The 300 series faced alot from that of EFI coming from MSI.
My z390 tomahawk still cannot boot from uefi, tried alot of bios versions yet the system kept restarting trying to load windows. Finally kept it aside and saved time with strix z370.