Secure Boot is an industry standard to ensure that Windows devices do not load firmware or malicious software during the boot process. If you have it turned on, as you should in most cases, and it’s the default setting required by Microsoft, good for you. However, if you are using one of the more than 300 motherboard models made by the manufacturer MSI in the last 18 months, you may not be protected.
Introduced in 2011, Secure Boot establishes a chain of trust between hardware and the software or firmware that boots a device. Before Secure Boot, devices used software known as a BIOS, which was installed on a small chip, to tell them how to boot and to recognize and start hard drives, CPUs, memory, and other hardware. Once finished, this mechanism loads the bootloader, which activates tasks and processes for loading Windows.
The problem was: the BIOS would load any bootloader that was located in the proper directory. That permissiveness allowed hackers who had brief access to a device to install fake bootloaders that would, in turn, run malicious firmware or Windows images.
When Secure Boot falls apart
About a decade ago, the BIOS was superseded by UEFI (Unified Extensible Firmware Interface), an operating system in its own right that could prevent loading system drivers or boot loaders that weren’t digitally signed by their trusted vendors.
UEFI is based on databases of trusted and revoked signatures that OEMs load into the non-volatile memory of motherboards at the time of manufacture. The signatures list the signers and cryptographic hashes of each authorized bootloader or UEFI-controlled application, a measure that establishes the chain of trust. This string ensures that the device boots securely using only known and trusted code. If unknown code is scheduled to load, Secure Boot shuts down the boot process.
A researcher and student recently discovered that more than 300 Taiwan-based MSI motherboard models, by default, do not implement Secure Boot and allow any bootloader to run. The models work with various hardware and firmware, including many from Intel and AMD (the full list is here). The flaw was introduced sometime in Q3 2021. The researcher accidentally discovered the issue while attempting to digitally sign various components of his system.
“On December 11, 2022, I decided to set up Secure Boot on my new desktop with the help of sbctl,” wrote Dawid Potocki, a Polish-born researcher now living in New Zealand. “Unfortunately, I found that my firmware was…accepting all OS images I gave it, regardless of whether it was trusted or not. It was not the first time that he self-signed the secure boot, he was not doing it wrong.
Potocki said he found no indication that motherboards from manufacturers ASRock, Asus, Biostar, EVGA, Gigabyte and NZXT suffer from the same deficiency.
The researcher went on to report that the Secure Boot broken was a result of MSI inexplicably changing its default settings. Users who want to implement Secure Boot, which really should be everyone, need to go into the settings of the affected motherboard. To do that, hold down the Delete button on the keyboard while the device is booting up. From there, select the menu that says
Security\Secure Boot or something like that and then select the
Image Execution Policy submenu. If your motherboard is affected, Removable Media and Fixed Media will be set to “Always Run”.
To fix this, change “Always run” for these two categories to “Deny run”.
In a Reddit post published on Thursday, an MSI representative confirmed Potocki’s findings. The representative wrote:
We preemptively set Secure Boot to Enabled and “Always Run” as the default setting to offer a user-friendly environment that allows multiple end-users the flexibility to build their PC systems with thousands (or more) of components that included their choice. integrated. ROM, including OS images, resulting in more compatible configurations. For users who are very concerned about security, they can still set the “Image Execution Policy” to “Deny Execution” or other options manually to meet their security needs.
The post said that MSI will be releasing new firmware versions that will change the default setting to “Deny Execution”. The subreddit linked above contains a discussion that can help users troubleshoot any issues.
As mentioned, Secure Boot is designed to prevent attacks in which an untrustworthy person surreptitiously gains brief access to a device and tampers with its firmware and software. Such hacks are usually known as “Evil Maid attacks”, but a better description is “Stalker Ex-Boyfriend attacks”.