BIOS Bug on MSI Boards prevents Secure Boot

Sicherheit (Pexels, allgemeine Nutzung)[German]Small addendum from this week about a bug on a mainboard from MSI. A bug in the BIOS/UEFI of various board models prevents Secure Boot from being used – even if the BIOS setting is set to On. The Polish student Dawid Potocki recently came across this bug. Users have to change the default BIOS/UEFI setting in order for Secure Boot to work correctly and actually meet Microsoft's requirements for Windows 11.


Microsoft Secure Boot

According to Microsoft, Secure Boot is an important security feature that prevents malware from loading when the PC boots. The security standard was supposedly developed by the PC industry to ensure that a device only boots with software that the OEM (Original Equipment Manufacturer) has deemed trustworthy.

When the PC is booted, the firmware checks the signature of each start-up software component, including the UEFI firmware drivers (also called option ROMs), the EFI applications and the operating system. If the signatures are valid, the PC boots and the firmware passes control to the operating system.

The OEM can use the firmware manufacturer's instructions to create "Secure Boot" keys and store them in the PC firmware. If UEFI drivers are added, ensure that they are signed and included in the Secure Boot database.

Microsoft has made Secure Boot mandatory for Windows 11. Critics describe the function as a trap to lock out unwelcome operating systems from computers and to favour Microsoft's Windows. There is always the danger that a faulty signature will prevent devices from booting.

Voodoo Secure Boot at MSI

MSI has now made a mistake with this "important" function of Secure Boot, and the incident shows once again that the whole thing is pretty much voodoo. The whole thing became public a few days ago. A blog reader had pointed out the article in the discussion area – but the issue had already come to my attention. The following tweet links to the article MSI's (in)Secure Boot by Dawid Potocki.


MSI Secure Boot flaw

In a nutshell: On the affected MSI mainboards there is the option Secure Boot, which is supposed to switch on this feature required by Windows 11. The default value is Image Execution Policy -> Always Execute.

MSI Option ROM setting Secure Boot

The problem, however, is that there is no check of the operating system images to be booted. It is therefore also possible to boot unsigned components. Dawid Potock writes about this:

When we open the menu, we can see the disappointing default settings. There is no verification. It is useless. It is only there to meet the requirements of Windows 11. The operating system has no idea that Secure Boot does nothing, it only knows that it is "enabled".

In plain language: Microsoft's Windows 11 learns "Secure Boot is enabled" and is satisfied. Windows 11 is not interested in whether manipulated drivers or loaders have already passed through in the boot sequence and interrupted the security chain (security only exists on paper anyway and Secure Boot is there to "kneel them" or cause trouble if something goes wrong with the signatures and machines no longer boot).

Users can change the settings from "Always Execute" to "Deny Execute" for "Removable Media" and "Fixed Media". Then Secure Boot should check again. What is strange is that the options "Allow Execute" and "Query User" violate the UEFI specification. Potock is not sure what the difference is between "Allow Execute" and "Always Execute".

Dawid Potock then discovered that not only his motherboard is affected, but also other models – possibly even from other manufacturers. Potoki has published a list of the allegedly affected MSI motherboards on GitHub.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Allgemein and tagged , , , . Bookmark the permalink.

One Response to BIOS Bug on MSI Boards prevents Secure Boot

  1. guenni says:

    MSI Statement on Secure Boot on reddit

    MSI implemented the Secure Boot mechanism in our motherboard products by following the design guidance defined by Microsoft and AMI before the launch of Windows 11. We preemptively set Secure Boot as Enabled and "Always Execute" as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are highly concerned about security, they can still set "Image Execution Policy" as "Deny Execute" or other options manually to meet their security needs.

    In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with "Deny Execute" as the default setting for higher security levels. MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs.

Leave a Reply

Your email address will not be published. Required fields are marked *