A firmware update made Secure Boot useless for hundreds of MSI motherboards

Why it issues: Safe Boot is a know-how designed to guard the PC boot chain and keep away from working a tampered working system. A firmware replace launched by MSI, nevertheless, modified the function settings in order that any OS picture might run no matter its legitimacy.

In keeping with a younger safety researcher, MSI final 12 months launched a firmware replace which made a lot of its motherboards much less safe than they need to have been.

First found by Dawid Potocki, a “scholar curious about FOSS and know-how,” the difficulty considerations the Safe Boot function on a big variety of MSI motherboards. Safe Boot is designed to be sure that a tool boots utilizing solely software program that’s trusted by the OEM producer, Microsoft explains.

When the PC begins, the firmware checks the signature of every piece of boot software program (UEFI firmware drivers, EFI purposes, the working system). If the signatures are legitimate, the PC boots and the firmware offers management again to the working system.

To work as meant, Safe Boot should be enabled and configured in a method that the booting course of will settle for working methods with legitimate signatures solely. Beginning with a firmware replace launched in the beginning of 2022, Potocki found, MSI determined to vary the Safe Boot default configuration to “accepting each OS picture I gave it, regardless of if it was trusted or not.”

Potocki says he found the difficulty whereas organising Safe Boot on his new desktop PC with the assistance of sbctl. He self-signed the Safe Boot course of, however the UEFI firmware was booting each OS whatever the signature. The firmware replace modified a Safe Boot setting named “Picture Execution Coverage,” which was set to “All the time Execute” quite than “Deny Execute” because it ought to have been.

With no signature verification and implementing, Safe Boot is actually ineffective even when it is enabled. Potocki was capable of hint the insecure default settings to firmware model 7C02v3C, an replace launched by MSI for the B450 TOMAHAWK MAX motherboard on January 18, 2022. The full variety of affected motherboards is over 290, each for Intel and AMD processors.

Regardless that Safe Boot might be made efficient once more by simply altering the Picture Execution Coverage choices to “Deny Execute,” MSI has but to challenge an announcement in regards to the purpose for turning off an vital safety function for numerous client motherboards.