MSI accidentally broke secure boot on nearly 300 motherboards
Hardware

MSI accidentally broke secure boot on nearly 300 motherboards

It has been reported that 290 models of MSI motherboards do not have the Secure Boot function by default, which is responsible for UEFI secure boot. MSI reportedly disabled it with one of their firmware updates. Because of this, any image of an operating system can run on a vulnerable computer, regardless of whether it has a digital signature and its authenticity.

    Image source: Bleeping Computer

Image source: Bleeping Computer

Secure Boot is a UEFI security feature designed to verify the electronic digital signature of software during system boot. In the absence of a digital signature or in the presence of a modified signature, the Secure Boot feature stops the download to protect the data stored on the computer. This tool allows you to prevent bootkits and rootkits from being loaded via UEFI and also notifies the user when a change in the digital signature is detected.

Polish security researcher David Potocki reported an issue where Secure Boot does not work on MSI motherboards. During our research, we found that the issue affects many MSI motherboards for Intel and AMD processors running the latest firmware, including the latest models. The researcher noted that after discovering the issue, he tried several times to contact MSI representatives but received no response.

    Image source: dawidpotocki.com

Image source: dawidpotocki.com

As you can see in the image above, the image execution policy is set to Always Execute even though Secure Boot itself is enabled. Potocki noted that firmware update 7C02v3C released on January 18, 2022 changed security settings. This means that the operating system will boot even after the digital signature has been changed. The researcher encountered this problem on his computer in mid-December last year, after which he decided to find out whether Secure Boot is used by default in other MSI motherboards. For a full list of motherboards affected by this issue, see released on GitHub. To solve the problem, users themselves need to “Deny Execute” for “Removable Media” and “Fixed Media”.

About the author

Dylan Harris

Dylan Harris is fascinated by tests and reviews of computer hardware.

Add Comment

Click here to post a comment