More than 300 models of MSI motherboards have Secure Boot disabled.  Is yours affected?

More than 300 models of MSI motherboards have Secure Boot disabled. Is yours affected?

A stylized skull and crossbones made of ones and zeros.

Secure Boot is an industry standard to ensure Windows devices do not load malicious firmware or software during the boot process. If you have it enabled – as you should in most cases, and it’s the default setting mandated by Microsoft – good for you. However, if you have used one of more than 300 MSI motherboard models in the last 18 months, you may not be protected.

Introduced in 2011, Secure Boot establishes a chain of trust between the hardware and the software or firmware that boots a device. Before Secure Boot, devices used software known as BIOS installed on a small chip to instruct them how to boot up and recognize and boot hard drives, CPUs, memory, and other hardware. When complete, this mechanism loads the bootloader, which enables tasks and processes to load Windows.

The problem was: the BIOS loaded every bootloader that was in the right directory. This permissiveness allowed hackers who had brief access to a device to install rogue bootloaders that would in turn run malicious firmware or Windows images.

When Secure Boot falls apart

About a decade ago, BIOS was replaced by UEFI (Unified Extensible Firmware Interface), a standalone operating system that could prevent system drivers or bootloaders from loading that were not digitally signed by their trusted vendors.

UEFI relies on databases of trusted and revoked signatures that OEMs load into motherboard non-volatile memory at the time of manufacture. The signatures list the signers and cryptographic hashes of each authorized bootloader or UEFI-driven application, a measure that builds the chain of trust. This chain ensures that the device boots securely and only uses code that is known and trusted. If unknown code is to be loaded, Secure Boot terminates the boot process.

A researcher and student recently found that more than 300 motherboard models from Taiwan-based company MSI do not implement secure boot by default and allow a bootloader to run. Models work with a variety of hardware and firmware, including many from Intel and AMD (see the full list here). The shortage was introduced sometime in the third quarter of 2021. The researcher accidentally discovered the problem while attempting to digitally sign various components of his system.

“On 12/11/2022 I decided to setup Secure Boot on my new desktop using sbctl,” wrote Dawid Potocki, a Polish-born researcher now based in New Zealand. “Unfortunately, I found that my firmware… would accept any OS image I gave it, whether it was trusted or not. It wasn’t the first time I’ve self-signed Secure Boot, I didn’t do anything wrong.”

Potocki said he found no evidence that motherboards from manufacturers ASRock, Asus, Biostar, EVGA, Gigabyte and NZXT have the same defect.

The researcher further reported that the broken Secure Boot was the result of an inexplicable change in default settings by MSI. Users wishing to implement Secure Boot – which everyone really should be – will need to access the settings on their affected motherboard. To do this, hold down the Delete key on the keyboard while the device boots up. From there, select the menu that says Security\Secure Boot or something like that and then select that Image Execution Policy submenu. If your motherboard is affected, removable and fixed media will be set to always run.

Getty Images

To resolve the issue, change “Always Execute” to “Deny Execute” for these two categories.

In a Reddit post published on Thursday, an MSI representative confirmed Potocki’s findings. The representative wrote:

We preemptively set Secure Boot to Enabled and “Always Execute” as the default setting to offer a user-friendly environment that allows multiple end-users to build their PC systems with thousands (or more) components containing their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are very concerned about security, they can still manually set the “Image Execution Policy” as “Deny Execute” or other options to meet their security needs.

The post states that MSI will release new firmware versions that will change the default settings to “Deny Execute”. The subreddit linked above has a discussion that may help users troubleshoot issues.

As previously mentioned, Secure Boot is designed to prevent attacks in which an untrustworthy individual secretly gains brief access to a device and tampers with its firmware and software. Such hacks are usually known as “Evil Maid Attacks” but a better description is “Stalker Ex-Boyfriend Attacks”.

Leave a Reply

Your email address will not be published. Required fields are marked *