If you are curious to look at the technical specifications of most motherboards from MSIyou will see that the Secure Boot is an item present in hundreds of models. However, a security expert found that this feature, which aims to protect the computer’s startup, is not fulfilling its function in about 300 models of motherboards from the brand. The most worrying point is that this problem was discovered accidentally. In the next paragraphs I will explain this story better.
What are the types of motherboard?
What is the motherboard BIOS and how to update it?
What is Secure Boot?
THE Secure Bootor Secure Boot, is a security feature intended to ensure that only legitimate software is loaded during the boot process from the computer. It works by verifying that the digital signature of boot files matches a list of trust keys pre-stored in the firmware from the motherboard. If the file does not have a valid signature, the system will not load it, preventing malicious or untrusted software from running.
Secure Boot is especially important for protect the system against firmware attacks, such as malware that installs itself on motherboard firmware or hard drive firmware. Even in July of last year, Kaspersky discovered that several motherboards from ASUS and Gigabyte had a firmware virus.
The feature also helps ensure the integrity of the operating system, preventing files from being modified without authorization. It is enabled by default on computers that have motherboards that support the feature, which was first introduced when the UEFI standard replaced the old one. BIOS.
In addition, Secure Boot is also used to secure mobile devices such as smartphones and tablets, as well as industrial and IoT equipment. It is a technology that is increasingly being used to improve the overall security of devices and operating systems.
The (In)Secure Boot of MSI cards
Who discovered the fault was the Polish Dawid Potocki. On his personal blog he tells how he discovered this bizarre error. He says that in December 2022 he tried to configure the Secure Boot function on his desktop computer.
However, even after enabling and configuring Secure Boot, Dawid noticed that the computer continued to accept all the ISO images of the operating systems he tried to install. Even those images that didn’t have cryptographic keys or trusted licenses. So he soon realized that something wasn’t right.
The first hypothesis raised by the Pole was that his computer had a firmware problem. A few more days of research later, he found that everything was ok with his firmware. The problem was really with Secure Boot. Or rather, a change in the default configuration of this security feature.
Taking a deeper look at the Secure Boot settings, he saw that in the Image Execution Policy (Image Execution Policy) there was a strange setting. The option Always Execute (Run Always) was enabled by default. Even for USB devices such as USB sticks. That is, the Secure Boot feature was active, configured, but did not perform any checks to ensure the security of the boot process.
The way out was to change the default configuration from Always Execute to Deny Execute, that is, to deny the execution of bootable devices.
What does MSI say?
The case generated a lot of repercussions in the reddit. MSI defended itself by saying that the Always Execute option is turned on by default to give users more flexibility when building PCs. In addition, this was an orientation given by Microsoft and AMI (the company responsible for firmware) before the release of Windows 11.
Also noteworthy is the fact that MSI has not documented this change in public announcements or at least in motherboard manuals. To confirm the change from the default setting, Dawid had to resort to UEFI Internal Form Representation (IFR).
Due to IFR, Dawid Potocki also discovered that this setting is related to MSI firmware released between September 2021 and January 2022. More than 300 motherboard models were affected. The complete list you can find on this GitHub page.
By consulting the IFRs of other motherboard manufacturers, such as ASUS, Gigabyte, ASRock and others, Dawid found that the Secure Boot problem is not repeated.
Sources: Ars Technica, BleepingComputer, David Potocki