News Security Researcher Discovers Secure Boot Disabled on 290 MSI Motherboards

[Admin]

Over 290 MSI motherboards come with Secure Boot disabled.

Security Researcher Discovers Secure Boot Disabled on 290 MSI Motherboards : Read more

 

[RoadieGhost]

What's the line between 'accident' and incompetent? If 10 models are affected I'd call it an unintended code interaction. 100+ models affected? That's a serious lack of QA and should be at minimum called negligence.

 

[KyaraM]

Hmmm. Neither the Pro Z690-A nor the Pro B660M-A without WiFi are listed I see. Will check the Z690-A immediately and the B660M-A when it arrives for my secondary system upgrade I guess (though after a year, I should get a newer BIOS on it... well, I'll see I guess). The question I have is, what if it is indeed disabled? Can I enable it in the BIOS myself, or do I need to update the BIOS? Unfortunately not stated in the artice, but I guess the former?

 

[Senile Otaku]

Well, this is virtually the opposite of the problem with their B450-A Pro Max boards, where their firmware update insists upon enabling (in)Secure Boot, regardless of what you had it set to before. And the newer firmware also ignores your boot-order settings in EFI, regardless of how you configure it in efibootmgr.

 

[ComputePronto]

At least in my experience, MSI motherboards have poor UEFI implementations in their BIOS. It tends to cause boot entries to be randomly deleted. I have never seen another brand's motherboards do this. Even if Secure Boot works, you're still on thin ice.

It's really unfortunate that so much of MSI's hardware is hindered by BIOS problems. It would otherwise be usable, at the very least.

 

[KyaraM]

It's really unfortunate that so much of MSI's hardware is hindered by BIOS problems. It would otherwise be usable, at the very least.

Considering that I'm using two of their boards already and soon get a third, and never had issues, I would say you already can.

 

[Dawid's Throwaway]

What's the line between 'accident' and incompetent? If 10 models are affected I'd call it an unintended code interaction. 100+ models affected?

It's most likely not an accident. There is nothing to point that it was, it seems like a deliberate change by MSI.

Hmmm. Neither the Pro Z690-A nor the Pro B660M-A without WiFi are listed I see. Will check the Z690-A immediately and the B660M-A when it arrives for my secondary system upgrade I guess (though after a year, I should get a newer BIOS on it... well, I'll see I guess). The question I have is, what if it is indeed disabled? Can I enable it in the BIOS myself, or do I need to update the BIOS? Unfortunately not stated in the artice, but I guess the former?

PRO Z690-A / PRO Z690-A WIFI: 7D25vA42 (2022-05-23) [2022-05-17]
PRO B660-A / PRO B660M-A WIFI: 7D59vA31 (2022-05-23) [2022-05-21]

I have posted the full list on GitHub, not my fault that Tom's Hardware decided to only copy 1/10 of it.
https://github.com/Foxboron/sbctl/issues/181

Also websites decided to for some reason mention version 7C02v3C which is a version for B450 TOMAHAWK MAX which only applies to this motherboard. Nobody seems to care to actually read what I have wrote and instead the news sites just copy off each other.

If you want the original source without all the mistakes, go read here: https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/

 

[icesenshi]

Are you serious? What a joke, and poor excuse for an article. Secure boot is a joke created by Microsoft. Did you know that every linux distro has to ask Microsoft for a key just to boot their operating system? And if Microsoft refuses to a key, you're out of luck. There is nothing secure about secure boot, only Microsoft controlling what operating systems are allowed.

 

[KyaraM]

It's not an accident. There is nothing to point that it was, it has been a deliberate change by MSI like how I pointed in my source article. It's just bad reporting at this point.





I have posted the full list on GitHub, not my fault that Tom's Hardware decided to only copy 1/10 of it.
https://github.com/Foxboron/sbctl/issues/181

Also websites decided to for some reason mention version 7C02v3C which is a version for B450 TOMAHAWK MAX which only applies to this motherboard. Nobody seems to care to actually read what I have wrote and instead the news sites just copy off each other.

If you want the original source without all the mistakes, go read here: https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/

Yeah, thank you for posting the full list. I went into BIOS and changed it last night already; but hopefully more people see it and act on it now that it is posted here!

Also thank you for your hard work unveiling the issue! This should affect quite a few users and hopefully this helps them make their computers a bit more secure.

 

[TerryLaze]

Are you serious? What a joke, and poor excuse for an article. Secure boot is a joke created by Microsoft. Did you know that every linux distro has to ask Microsoft for a key just to boot their operating system? And if Microsoft refuses to a key, you're out of luck. There is nothing secure about secure boot, only Microsoft controlling what operating systems are allowed.

First of all, not letting just any random into your house is the main basis for security.
Second of all, MS has nothing to do with the keys for anybody else, whoever curates each linux distro would have to supply a valid private key to every mobo maker and of course the mobo makers would have to care enough about the distro to go into the trouble of including the key.