Nearly 300 MSI motherboards will run any old code in Secure Boot, no questions asked

Updated The Secure Boot process on almost 300 different PC motherboard models manufactured by Micro-Star International (MSI) isn't secure, which is particularly problematic when "Secure" is part of the process description.

Dawid Potocki, an open source security researcher and student based in New Zealand, found last month that some MSI motherboards with certain firmware versions allow arbitrary binaries to boot despite Secure Boot policy violations.

Secure Boot is a PC security standard intended to ensure that devices boot only software trusted by the maker of the hardware. The device firmware is supposed to check the cryptographic signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system.

That's the theory, anyway.

"On 2022-12-11, I decided to set up Secure Boot on my new desktop with [the] help of sbctl, [the secure boot key manager on Linux]," Potocki explained in a blog post last week. "Unfortunately I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not."

After finding that the MSI PRO Z790-A WIFI failed to verify binaries, Potocki began looking into other MSI motherboards to see if they had similarly lax settings. He found close to 300.

According to Potocki, MSI by default sets "Always execute" on policy violation for everything, making Secure Boot worthless under default settings. In an email to The Register, Potocki confirmed that the motherboards he listed in his GitHub issues post are still affected.

"[MSI's] laptops are not affected, only their desktop motherboards," Potocki wrote. "I suspect this is because they probably knew that Microsoft wouldn't approve of it and/or that they get less tickets about Secure Boot causing issues for their users."

• Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery
• Intel Alder Lake BIOS code leak may contain vital secrets
• Microsoft tries again to ignite interest in DevOps cloud security
• ESET uncovers vulnerabilities in Lenovo laptops

He allows that he may have missed some models, but says users of MSI boards should be able to guess based on other affected motherboards using the same chipset that were built around the same time.

"The list consists mostly of beta firmware versions as they often were the first to introduce this issue," said Potocki. "I could have missed some, as getting beta firmware required me to guess URLs on which they reside, as MSI removes links to them after some time from their 'Support' page."

He added that he's unaware of any firmware build before September 2021 that would be affected.

Potocki said he tried to contact Taiwan-based MSI about his findings but hasn't heard back. He added that he has requested a CVE related to the use of insecure defaults.

"They didn't get in touch with me and I believe that they made this change deliberately, which just makes it worse," he said. "This is because I'm not sure how they would do it by mistake and also have it pass their testing."

He added that he tried to use MSI's web ticketing system and email, and even tried to contact the company through Twitter. But he has received no response.

The Register's attempt to contact MSI has also not prompted any response. ®

Updated to add on January 19

MSI this week posted a note to the MSI Gaming forum on Reddit that described the insecure Secure Boot configuration as a convenience for world plus dog.

“MSI implemented the Secure Boot mechanism in our motherboard products by following the design guidance defined by Microsoft and AMI before the launch of Windows 11," the electronics slinger spun.

"We preemptively set Secure Boot as Enabled and ‘Always Execute’ as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations.

"For users who are highly concerned about security, they can still set ‘Image Execution Policy’ as ‘Deny Execute’ or other options manually to meet their security needs.

“In response to the report of security concerns with the preset BIOS settings, MSI will be rolling out new BIOS files for our motherboards with ‘Deny Execute’ as the default setting for higher security levels. MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs.”