It turns out that secure boot does not work at all on MSI motherboards of more than 290 models



Motherboards in circulation in recent years are equipped with a function 'Secure Boot' that restricts the bootable OS and strengthens security. However, security researcher Dawid Potocki has revealed that there is a flaw in the secure boot of MSI motherboards. The flaws found are common to more than 290 types of motherboards, and PCs with those motherboards may run an unsafe OS.

MSI's (in) Secure Boot - Dawid Potocki

https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/

Secure boot is a security function installed in UEFI that can block the booting of an unsigned OS or an incorrectly signed OS by comparing the OS signature with the signature information stored in the UEFI firmware when the PC boots. increase.

However, when Mr. Potocki tried to install the OS on a PC equipped with an MSI motherboard, it became clear that an unsigned OS could be started even though secure boot was enabled.

Below is the UEFI screen of the MSI motherboard taken by Mr. Potocki. You can see that the item that determines the operation of secure boot is set to 'Always Execute' in the initial state. In other words, the motherboard used by Mr. Potocki had the secure boot itself enabled, but the essential 'secure boot operation setting' was set to 'run the OS in any case', so it made no sense at all. In other words, it was not completed.



As Potocki gathered information, it became clear that similar problems were occurring on multiple motherboards.



As a result of further analysis, it became clear that the firmware distributed after the third quarter of 2022 had a situation where ``secure boot is not actually working''. More than 290 models of motherboards are affected, and Potocki publishes a list of affected motherboards at the link below.

MSI has very insecure Secure Boot defaults Issue #181 Foxboron/sbctl GitHub
https://github.com/Foxboron/sbctl/issues/181



Potocki also recommends changing the secure boot setting from 'Always Execute' to 'Deny Execute' as a countermeasure.

in Hardware,   Security, Posted by log1o_hf