why does it matter: Secure Boot is a technology designed to protect a computer’s boot chain and avoid booting a tampered operating system. However, a firmware update released by MSI has changed the feature settings so that any operating system image can be booted regardless of its legality.
According to a young security researcher, last year MSI released a firmware update that made many motherboards less secure than they should have been.
Dawid Potocki, a “student interested in FOSS and technology”, first discovered this issue with the Secure Boot feature on a large number of MSI motherboards. Secure Boot is designed to ensure that the device boots using only software that is trusted by the original equipment manufacturer, Microsoft explains.
When the computer starts up, the firmware checks the signature of each part of the boot software (UEFI firmware drivers, EFI applications, and the operating system). If the signatures are correct, the computer boots and the firmware returns control to the operating system.
To work as intended, secure boot must be enabled and configured in such a way that the boot process will only accept operating systems with valid signatures. Starting with a firmware update introduced at the beginning of 2022, Potocki discovered, MSI decided to change the default Secure Boot configuration to “accept every operating system image you provide, regardless of whether it is trusted or not.”
Potocki says he discovered the problem while setting up Secure Boot on his new desktop computer with help spectel. He signed the Secure Boot process himself, but the UEFI firmware was booting every OS regardless of signature. The firmware update changed the secure boot setting called Image Execution Policy, which is set to “Always Execute” instead of “Deny to Execute” like it should have been.
With no signature verification and enforcement, secure boot is basically useless even when enabled. Potocki was able to trace the insecure default settings back to firmware version 7C02v3C, an update released by MSI for the B450 TOMAHAWK MAX motherboard on January 18, 2022. Total number of damaged motherboards Over 290, for both Intel and AMD processors.
Although Secure Boot can be made effective again by simply changing the Image Execution Policy options to Deny Execution, MSI has yet to issue a statement as to why a significant number of consumer motherboards have turned off an important security feature.