Secure Boot is an industry standard for ensuring that Windows devices do not load firmware or malicious software during the boot process. If you’ve enabled it – as you should in most cases, and it’s the default setting required by Microsoft – good for you. However, if you are using one of the more than 300 motherboard models manufactured by manufacturer MSI in the last 18 months, you might not be protected.
Introduced in 2011, Secure Boot establishes a chain of trust between hardware and the software or firmware that boots a device. Before Secure Boot, devices used software known as a BIOS, installed on a small chip, to instruct them how to boot, recognize and start hard disks, CPUs, memory and other hardware. Once complete, this engine loaded the bootloader, which launches tasks and processes to load Windows.
The problem was: the BIOS loaded whatever bootloader was located in the appropriate directory. This permissiveness allowed hackers with brief access to a device to install rogue bootloaders, which in turn executed malicious firmware or Windows images.
When Secure Boot falls apart
About a decade ago, the BIOS was replaced by UEFI (Unified Extensible Firmware Interface), an operating system in its own right that could prevent system drivers or bootloaders from loading that were not digitally signed by their trusted manufacturers.
UEFI relies on databases of trusted and revoked signatures that OEMs load into motherboards’ non-volatile memory at the time of manufacture. Signatures list the signers and cryptographic hashes of each authorized bootloader or UEFI controlled application, a measure that establishes the chain of trust. This chain ensures that the device boots securely using only known and trusted code. If unknown code is scheduled to load, Secure Boot terminates the boot process.
A researcher and student recently discovered that more than 300 Taiwanese MSI motherboard models are by default not implementing Secure Boot and allowing any boot loader to run. The models work with a variety of hardware and firmware, including many from Intel and AMD (the full list is here). The flaw was introduced sometime in Q3 2021. The researcher accidentally discovered the issue when trying to digitally sign various components of his system.
“On 12/11/2022 I decided to set up Secure Boot on my new desktop with the help of sbctl,” wrote Dawid Potocki, a Polish-born researcher who now lives in New Zealand. “Unfortunately, it turned out that my firmware was… accepting all operating system images I gave it, regardless of whether it was trusted or not. It wasn’t the first time I signed Secure Boot automatically, I wasn’t doing it wrong.”
Potocki said he found no indication that motherboards from manufacturers ASRock, Asus, Biostar, EVGA, Gigabyte and NZXT suffer from the same deficiency.
The researcher reported that the broken Secure Boot was the result of the MSI’s inexplicable change from its default settings. Users who want to implement Secure Boot – which everyone should really be – should go into the affected motherboard’s settings. To do this, hold down the Del button on your keyboard while your device is booting. From there select the menu that says
Security\Secure Boot or something along those lines and then select the
Image Execution Policy submenu. If your motherboard is affected, Removable Media and Fixed Media will be set to “Always run”.
To fix, change “Always run” of these two categories to “Deny run”.
In a Reddit post published on Thursday, an MSI representative confirmed Potocki’s findings. The representative wrote:
We preemptively set Secure Boot to Enabled and “Always Execute” as the default setting to provide a user-friendly environment that allows many end users the flexibility to build their PC systems with thousands (or more) of components that include their onboard option ROM, including operating system images, resulting in more compatible configurations. For users who are very concerned about security, they can still set the “Image Execution Policy” to “Deny Execution” or other options manually to meet their security needs.
The post said that MSI will release new firmware versions that will change the default settings to “Deny Execution”. The subreddit linked above contains a discussion that may help users troubleshoot any issues.
As mentioned, Secure Boot is designed to prevent attacks in which an untrusted person gains surreptitious access to a device and tampers with its firmware and software. These hacks are usually known as “evil maid attacks”, but a better description is “stalker ex boyfriend attacks”.