[German]Small addendum from this week about a bug on a mainboard from MSI. A bug in the BIOS/UEFI of various board models prevents Secure Boot from being used – even if the BIOS setting is set to On. The Polish student Dawid Potocki recently came across this bug. Users have to change the default BIOS/UEFI setting in order for Secure Boot to work correctly and actually meet Microsoft's requirements for Windows 11.
Microsoft Secure Boot
According to Microsoft, Secure Boot is an important security feature that prevents malware from loading when the PC boots. The security standard was supposedly developed by the PC industry to ensure that a device only boots with software that the OEM (Original Equipment Manufacturer) has deemed trustworthy.
When the PC is booted, the firmware checks the signature of each start-up software component, including the UEFI firmware drivers (also called option ROMs), the EFI applications and the operating system. If the signatures are valid, the PC boots and the firmware passes control to the operating system.
The OEM can use the firmware manufacturer's instructions to create "Secure Boot" keys and store them in the PC firmware. If UEFI drivers are added, ensure that they are signed and included in the Secure Boot database.
Microsoft has made Secure Boot mandatory for Windows 11. Critics describe the function as a trap to lock out unwelcome operating systems from computers and to favour Microsoft's Windows. There is always the danger that a faulty signature will prevent devices from booting.
Voodoo Secure Boot at MSI
MSI has now made a mistake with this "important" function of Secure Boot, and the incident shows once again that the whole thing is pretty much voodoo. The whole thing became public a few days ago. A blog reader had pointed out the neowin.net article in the discussion area – but the issue had already come to my attention. The following tweet links to the article MSI's (in)Secure Boot by Dawid Potocki.
In a nutshell: On the affected MSI mainboards there is the option Secure Boot, which is supposed to switch on this feature required by Windows 11. The default value is Image Execution Policy -> Always Execute.
The problem, however, is that there is no check of the operating system images to be booted. It is therefore also possible to boot unsigned components. Dawid Potock writes about this:
When we open the menu, we can see the disappointing default settings. There is no verification. It is useless. It is only there to meet the requirements of Windows 11. The operating system has no idea that Secure Boot does nothing, it only knows that it is "enabled".
In plain language: Microsoft's Windows 11 learns "Secure Boot is enabled" and is satisfied. Windows 11 is not interested in whether manipulated drivers or loaders have already passed through in the boot sequence and interrupted the security chain (security only exists on paper anyway and Secure Boot is there to "kneel them" or cause trouble if something goes wrong with the signatures and machines no longer boot).
Users can change the settings from "Always Execute" to "Deny Execute" for "Removable Media" and "Fixed Media". Then Secure Boot should check again. What is strange is that the options "Allow Execute" and "Query User" violate the UEFI specification. Potock is not sure what the difference is between "Allow Execute" and "Always Execute".
Dawid Potock then discovered that not only his motherboard is affected, but also other models – possibly even from other manufacturers. Potoki has published a list of the allegedly affected MSI motherboards on GitHub.
Cookies helps to fund this blog: Cookie settings