MSI Accidentally Breaks Secure Boot for Hundreds of Motherboards 59
Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting that allows any operating system image to run regardless of whether it has a wrong or missing signature. From a report: This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue. The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.
We've added backwards compatibility (Score:5, Funny)
Good news, this motherboard is now compatible with Sony Rootkit again.
Re: (Score:3, Funny)
So it's more of an abusive fatherboard?
Re: (Score:2)
It self identifies as an otherboard.
Re: (Score:2)
feature (Score:5, Insightful)
This sounds like a feature, not a bug...
Re: (Score:3)
Re: (Score:2)
Secureboot has had a huge effect on security and is very much beneficial. I'm old enough to remember when rootkits were one of the most common forms of malware. Attack the early boot process, make it impossible for anti-virus software to remove them. Secureboot made them mostly go away because they no longer work.
Re: (Score:2)
But it could lead to a proliferation of hobbyist operating systems! The horror!
Re: (Score:3)
This sounds like a feature, not a bug...
Not sure why you think you're smart, the feature is security, the bug is you not RTFM and realising it is entirely within your control to disable it allowing you to install whatever you want.
Not security (Score:2)
Re: (Score:2)
The feature is control, not security. The main goal of UEFI is to stop people from installing other things than the manufacturer wants. Especially it hinders people in installing a more secure operating system.
You mean a more secure system like Linux, many flavours of which have been cross signed so you never even need to touch secure boot? Or a more secure OS like whatever the fuck you like because secure boot gives you the control you need to install your own keys.
You're mistake "lack of a control" with "not having a clue and not RTFM". All you do is look silly. Stop spreading FUD and go learn to install whatever OS you want. Or just disable secure boot completely. It's all up to you, in your control.
MSI firmware (Score:3)
I once bought a bunch of MSI gear for the quality capacitors.
I never bought any again because of the firmware.
Gigabyte seems quite solid though not many slots on the lower end. ASUS half way on firmware with lots of slots. Tyan if you're made of money. Supermicro if you can figure out what the hay is going on with spyware situation, maybe.
Re: (Score:3)
Gigabyte seems quite solid though
LOL! I could repeat your post except replace MSI with Gigabyte and Gigabyte with ASUS. I've sworn off Gigabyte. I've RMA'd two motherboards due to bioses self destructing. Their ability to switch bioses to a backup is flaky at best and non-functional from a flashing point of view at worse, and even now I still have an X470 board that will randomly when the moon phase is just right decide ... "nah I'm not booting anymore. I'll just switch to the backup bios until you do a funny little dance rebooting me over
Re: (Score:2)
I can second this. I had a Gigabyte mobo that bricked because the company mixed up their model line and literally put the wrong firmware image for my board on their web site. Since the new firmware had a valid checksum, but was wrong for that motherboard, the "Dual BIOS" feature wouldn't work and the board was dead. I fixed it by de-soldering and swapping the firmware chips. I never dared to apply another update.
It wouldn't have been a big deal if they gave you more control over the boot process, such a
Re: (Score:2)
Mine had a socketed secondary chip, which didn't help because if you booted from the secondary chip there was (at the time) no way to flash the primary chip. The entire Dual BIOS implementation was always incredibly useless.
Re: (Score:2)
That's a feature not a bug. (Score:5, Insightful)
How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?
Why do companies believe they have the right to tell me what I can and cannot do with my own computer?
Re:That's a feature not a bug. (Score:5, Insightful)
Well, ideally, it's a choice.
You can disable SecureBoot to boot your own compiled kernel.
You can leave it enabled but put your own keys, to let you compile your kernel, potentially do it in a way that keeps the private signing key elsewhere.
You can leave it at defaults and boot *most* things people would want to boot (Windows, RedHat, Centos, Rocky, Alma, Oracle Linux, Fedora, Ubuntu, Suse, LEAP, probably more).
If something hypothetically tries to insert itself between your kernel and the platform, then it will hopefully work to mitigate that.
Re: (Score:2)
Re:That's a feature not a bug. (Score:4, Funny)
What?! How dare they give the users choices! It should be 100% open, all of the time, whether the user likes it or not!
May I interest you in an MSI motherboard?
Re: (Score:2)
You can disable SecureBoot to boot your own compiled kernel.
Except you won't be allowed to Dual boot since Windows is making secure boot mandatory
Re: (Score:1, Insightful)
How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?
It's not. The owner is in full control, always have been. The sky didn't fall. Linux didn't stop working, and basically everything the anti-secure boot FUD spreaders have said has simply not happened.
The defect here is that the feature for those people who *want* to use it, doesn't work as intended.
Shame on whomever modded you up.
Re: (Score:1)
Clearly you don't remember how Microsoft broke it the very first week, and aren't aware that it still doesn't work on numerous devices in the wild. Sure, the sky didn't fall, but it's disingenuous to say the things the "FUD spreaders" said would happen didn't, because every single one of their predictions absolutely did come true, if not on the scale or for the duration of time they said it would.
Re:That's a feature not a bug. (Score:5, Informative)
To be fair, it did come to pass, but not significantly on x86. The Surface RT did not actually allow SecureBoot disable.
Surface Pro default doesn't allow 3rd party OSes at all, but does allow you to enable 3rd party. It does also permit disabling SecureBoot.
So there is still room to worry that devices will exist that use this to prevent non-Microsoft OSes, but so far MS hasn't gone that far on x86 devices...
Re: (Score:2)
As part of Microsoft's Designed for Windows certification requirements a system *must* allow both secure boot to be disabled, and custom keys to be installed. This is the case with the Surface Pro as well. Expecting a user to install an OS without ever touching a UEFI settings is a fantasy as they will need to in many cases enable booting from external media in the first place.
but so far MS hasn't gone that far on x86 devices...
Not only not gone that far, they turned around and walked backwards. In addition to the requirements above, MS actually certifies 3r
Re: (Score:3)
Re: (Score:2)
How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?
Fair point, but it was lost in the masses represented below.
Why do companies believe they have the right to tell me what I can and cannot do with my own computer?
There are dozens of laws, regulations, and inspectors between you and that legitimate set of brake rotors purchased from a licensed local dealer that you're going to put on your car yourself. You trust that the process securing your purchase of a genuine product and not some illegal chunk of recycled donkey shit and junk ore, is intact and prevents customers from inadvertently harming themselves or loved ones.
Now, take a good look to the left an
What a disaster (Score:5, Interesting)
Re: (Score:1)
Plenty of fanbois, but it matters little: "The Industry" (for which read: microsoft) thinks it's a good idea, therefore it happened. That this can be is quite interesting (in the Chinese sense) on its own already.
Re:What a disaster (Score:5, Informative)
Please don't confuse EUFI with secure boot. Secure boot just happens to be a feature that can (usually) be turned off if you don't need it.
Re: (Score:3)
Re:What a disast (Score:2)
I long thought there were absolutely no advantages to running UEFI with Linux, but recently (yeah, took me a long time) I discovered you can upgrade BIOS version directly from Linux in UEFI mode on most systems, while it is sometimes impossible in Legacy mode (even booting from a USB key, I'm looking at you HP).
2TB isn't big enough for everybody. That's just one of soooo many reasons.
There is a whole world of OS-firmware integration possibilities that you're just scratching the surface of, like how well does your kernel, grub, and BIOS actually know which storage device was booted from? Does grub enumerate devices the same as BIOS? Does the kernel enumerate devices the same as grub? From user space can you tell your bios to target a different device on next boot? Can your firmware or boot loader boot from a f
Re: (Score:2)
Imagine firmware that understood advanced filesystem features, with an interactive CLI, that can actually talk to the hardware on your system instead of rebooting and pressing Fsomethingelse to get the network card's firmware.
I'm moderately proficient on Linux, and I've written device drivers and bootloaders for custom embedded system. My take on it was to do the strict minimum in the bootloader and then offload the rest of the heavy lifting to the kernel. Wouldn't what you envision be opening a whole new surface attack for vulnerabilities ?!?
Re: (Score:3, Informative)
but if I have physical access to the hardware, all bets, with the exception of whole disk encryption, are off.
Indeed, so you got whole disk encryption and you're safe. Now the question is, do you have UEFI SecureBoot enabled, or are you leaving yourself open to someone installing a rogue malware faking a boot process and passing off to windows which can then run in the background to steal your password (you know, the one you use for your precious full disk encryption). Your full disk encryption is worthless if someone can execute arbitrary code without your knowledge on your machine. You'll just hand him the keys.
N
Re: (Score:3)
Re: (Score:2)
I don't know of anybody who has been in favor of UEFI, least of all techy folks. I understand the idea behind secure booting and where they were going with it, but if I have physical access to the hardware, all bets, with the exception of whole disk encryption, are off.
Popular opinions among "techy folks" are why we can't have nice things. Do you know anybody with any experience with non-x86 firmware at all? Like what was EFI competing against, or inspired by, for example? There are many nice things you will never have by sticking with old 16-bit BIOS. If you don't understand it, how can you have an opinion? But hey, that's how IT works, or doesn't, it's not just you.
That's not even what Secure Boot is for, it's to secure the boot loader, which can secure the kernel, whic
Re: (Score:3)
What is the point (Score:1)
The whole point of this was to keep people from installing Linux.
I used to be able to tell somebody how to get into the bios remotely over the phone without being there.
They used to have somewhat standard hotkeys. Boot from other media, without adjusting any settings.
After the transition, every single system seems to have its own design of how secure boot works. Some systems you can get to a shell other systems you cannot. It seems like a bunch of dangerous sounding options are forcefully put right next to
Re: (Score:2)
The whole point of this was to keep people from installing Linux.
Complete FUD since most Linux distributions are signed, and one of the requirements for secure boot was the ability to a) turn it off, and b) allow uploading of custom keys.
Not sure if there was anything of value in the rest of your post, but with an opening like that it was unlikely worth reading. Now go put your tinfoil hat back on.
Re:What is the point (Score:4, Informative)
Complete FUD since most Linux distributions are signed, and one of the requirements for secure boot was the ability to a) turn it off, and b) allow
Not FUD. Deploying custom keys are beyond the technical aptitude of the average user - it's certainly Not possible to do from an Install CD. They have created a major impediment against users exercising the freedom to install anything other than a MS-sponsored OS.
For example they Won't sign Grub [microsoft.com] the Linux bootloader - Code that is subject to such a license that has already been signed might have that signature revoked. For example, GRUB 2 is licensed under GPLv3 and will not be signed..
Re: (Score:1)
More FUD. What "average user" is going to install something other than Windows or a Linux distribution that has a shim already signed by Microsoft? And if you do need to use custom keys for some reason, it is easy to do. 1) Enter UEFI mode and select 'clear secure boot variables'. 2) Boot install CD. Install CD sets all the required keys. 3) Reboot into UEFI and select 'Enable secure boot'. Gee, that was tough, and obviously way beyond the abilities of the 'average user'.
The reason they won't sign GPL
Re: (Score:2)
Deploying custom keys are beyond the technical aptitude of the average user
The average user is not playing with Linux systems that require deploying custom keys. The average user is installing popular Linux distributions that very much are signed and as complex to install as popping in the installation media.
You're spreading FUD. If you're competent enough to play with custom OSes rather than popular OSes for the masses, you're competent enough to either disable secure boot or load a custom key. The average user is unaffected by this.
Why not? (Score:2)
I like being able to run any operating system. Sounds like a good thing.
Re: (Score:2)
I like features working as intended. If you like running anything you want then use the feature that allows you to turn secure boot off, or the feature to upload keys from your other operating systems. There's nothing good about celebrating a security feature optionally available to you being broken.
TFA (Score:5, Informative)
I have read TFA and this is just a default setting. Secure boot options can still be set up so you can cripple your system if you desire.
Thank you MSI for breaking this nasty thing (Score:3)
Please never "FIX" this... Also, please let me know what model motherboard is affected? Because I think I might like to buy a few.
Re: (Score:2)
Why the fuck would you not want secure boot to work if you have enabled it?
Re: (Score:2)
So we can Dual boot versions of Windows which have put on the label that Secure Boot with MS keys is mandatory and systems with SecureBoot disabled are Unsupported.
Re: Thank you MSI for breaking this nasty thing (Score:2)
It doesn't say that it reports it was securely booted to the OS, so I don't see how that would help.
Re: (Score:2)
Re: Thank you MSI for breaking this nasty thing (Score:2)
So you live in some fantasy world where the only way a machine can be compromised is by physical access. Must be nice. In the real world, there are occasional vulnerabilities that allow privilege escalation and modification/replacement of files. One such file could be the kernel.
Even mainframes have secure boot, and I can guarantee you nobody is watching blu-rays on those. Of course, people running mainframes are generally actually concerned about security.
Re: (Score:2)
And it's not doing GNU/Linux any good that you have to disable it on most computers
You don't have to do anything of the sort. All popular Linux distros have secure boot keys and are cross signed, so you don't actually need to do anything in your UEFI settings to get them to run.
Other than enable booting from USB stick which isn't the default on most systems either.
confusion (Score:2)
Re: (Score:2)
MSI gaming laptop owner - never had a problem. Have updated the nVidia drivers from the stock image with the ones from nVidia's website some... 20, 30, 40 times? Never an issue.
Also I run VR, external HDMI, etc. from the laptop without a problem, and recently updated the drivers the day of Portal RTX's release, to allow that to work - also no problems.
Not sure it's as widespread as you claim.
For reference, I don't tolerate freezes, hangs, crashes, errors, applications failing, or even glitching from any m