The Secure Boot process on almost 300 different PC motherboard models manufactured by Micro-Star International (MSI) isn’t secure, which is particularly problematic when “Secure” is part of the process description.
Dawid Potocki, an open source security researcher and student based in New Zealand, found last month that some MSI motherboards with certain firmware versions allow arbitrary binaries to boot despite Secure Boot policy violations.
Secure Boot is a PC security standard intended to ensure that devices boot only software trusted by the maker of the hardware. The device firmware is supposed to check the cryptographic signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system.
That’s the theory, anyway.
“On 2022-12-11, I decided to set up Secure Boot on my new desktop with [the] help of sbctl, [the secure boot key manager on Linux],” Potocki explained in a blog post last week. “Unfortunately I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not.”
After finding that the MSI PRO Z790-A WIFI failed to verify binaries, Potocki began looking into other MSI motherboards to see if they had similarly lax settings. He found close to 300.
According to Potocki, MSI by default sets “Always execute” on policy violation for everything, making Secure Boot worthless under default settings. In an email to The Register, Potocki confirmed that the motherboards he listed in his GitHub issues post are still affected.
“[MSI’s] laptops are not affected, only their desktop motherboards,” Potocki wrote. “I suspect this is because they probably knew that Microsoft wouldn’t approve of it and/or that they get less tickets about Secure Boot causing issues for their users.”
He allows that he may have missed some models, but says users of MSI boards should be able to guess based on other affected motherboards using the same chipset that were built around the same time.
“The list consists mostly of beta firmware versions as they often were the first to introduce this issue,” said Potocki. “I could have missed some, as getting beta firmware required me to guess URLs on which they reside, as MSI removes links to them after some time from their ‘Support’ page.”
He added that he’s unaware of any firmware build before September 2021 that would be affected.
Potocki said he tried to contact Taiwan-based MSI about his findings but hasn’t heard back. He added that he has requested a CVE related to the use of insecure defaults.
“They didn’t get in touch with me and I believe that they made this change deliberately, which just makes it worse,” he said. “This is because I’m not sure how they would do it by mistake and also have it pass their testing.”
He added that he tried to use MSI’s web ticketing system and email, and even tried to contact the company through Twitter. But he has received no response.
The Register‘s attempt to contact MSI has also not prompted any response. ®