MSI has responded to its faulty ‘Secure Boot’ implementation which was highlighted recently by the open-source researcher, Dawid Potocki.
MSI Clarifies Its Position on Secure Boot Implementation On Nearly 300 Motherboards, Others Including ASUS Might Be Affected Too
The Secure Boot functionality on the latest motherboards makes sure that only software/code that is trusted by the hardware vendor is booted by the device. Firmware embedded in the hardware is meant to run through cryptographic signature which includes UEFI drivers, EFI applications, and the OS. According to The RegisterPotocki posted an extensive blog post where he detailed his findings on the 300 or so motherboards he tested.
His findings showed that around 300 MSI motherboards running some specific firmware versions will allow booting binaries on policy violations by default, thereby not providing any additional security compared to having Secure Boot disabled. The full list of motherboards that feature this implementation can be seen here.
Now MSI has an official statement on the matter posted over at MSI’s Gaming subreddit that can be read below:
MSI implemented the Secure Boot mechanism in our motherboard products by following the design guidance defined by Microsoft and AMI before the launch of Windows 11. We preemptively set Secure Boot as Enabled and “Always Execute” as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are highly concerned about security, they can still set “Image Execution Policy” as “Deny Execute” or other options manually to meet their security needs.
In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with ”Deny Execute” as the default setting for higher security levels. MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs.
via MSI Gaming Reddit
We have information available which shows that a similar implementation might also affect boards from other manufacturers such as ASUS and Gigabyte running on specific Firmware versions. Note that just like in MSI’s case, this firmware is tagged as BETA and not an official release.
ASUS Secure Boot Violation:
Gigabyte Secure Boot Violation:
the following testing methodology was used for the ASUS and Gigabyte tests:
- Clear CMOS
- Press F5 or F6 or F7 key to “Load Optimized Defaults”
- Test if Security Boot is working to deny the bootable USB that doesn’t have a valid signature.
- If Secure Boot is not working, try manually adjusting settings in BIOS and see how it works.
MSI has also mentioned that users can still set the necessary option manually through their BIOS but they will also be rolling out new BIOS that enables the ‘Deny Execute’ parameter to be set by default. The new BIOS will also retain the fully functional Secure Boot mechanism within the BIOS for users to adjust it manually.