Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Technology

MSI Accidentally Breaks Secure Boot for Hundreds of Motherboards 59

Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting that allows any operating system image to run regardless of whether it has a wrong or missing signature. From a report: This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue. The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.
This discussion has been archived. No new comments can be posted.

MSI Accidentally Breaks Secure Boot for Hundreds of Motherboards

Comments Filter:
  • by NFN_NLN ( 633283 ) on Tuesday January 17, 2023 @12:32PM (#63216912)

    Good news, this motherboard is now compatible with Sony Rootkit again.

  • feature (Score:5, Insightful)

    by rknop ( 240417 ) on Tuesday January 17, 2023 @12:49PM (#63216962) Homepage

    This sounds like a feature, not a bug...

    • by jmccue ( 834797 )
      No kidding, breaking something that has no useful purpose. I home a manufacture comes out with a board that does nit even allow that.
      • by AmiMoJo ( 196126 )

        Secureboot has had a huge effect on security and is very much beneficial. I'm old enough to remember when rootkits were one of the most common forms of malware. Attack the early boot process, make it impossible for anti-virus software to remove them. Secureboot made them mostly go away because they no longer work.

    • But it could lead to a proliferation of hobbyist operating systems! The horror!

    • This sounds like a feature, not a bug...

      Not sure why you think you're smart, the feature is security, the bug is you not RTFM and realising it is entirely within your control to disable it allowing you to install whatever you want.

      • The feature is control, not security. The main goal of UEFI is to stop people from installing other things than the manufacturer wants. Especially it hinders people in installing a more secure operating system.
        • The feature is control, not security. The main goal of UEFI is to stop people from installing other things than the manufacturer wants. Especially it hinders people in installing a more secure operating system.

          You mean a more secure system like Linux, many flavours of which have been cross signed so you never even need to touch secure boot? Or a more secure OS like whatever the fuck you like because secure boot gives you the control you need to install your own keys.

          You're mistake "lack of a control" with "not having a clue and not RTFM". All you do is look silly. Stop spreading FUD and go learn to install whatever OS you want. Or just disable secure boot completely. It's all up to you, in your control.

  • by bill_mcgonigle ( 4333 ) * on Tuesday January 17, 2023 @12:50PM (#63216970) Homepage Journal

    I once bought a bunch of MSI gear for the quality capacitors.

    I never bought any again because of the firmware.

    Gigabyte seems quite solid though not many slots on the lower end. ASUS half way on firmware with lots of slots. Tyan if you're made of money. Supermicro if you can figure out what the hay is going on with spyware situation, maybe.

    • Gigabyte seems quite solid though

      LOL! I could repeat your post except replace MSI with Gigabyte and Gigabyte with ASUS. I've sworn off Gigabyte. I've RMA'd two motherboards due to bioses self destructing. Their ability to switch bioses to a backup is flaky at best and non-functional from a flashing point of view at worse, and even now I still have an X470 board that will randomly when the moon phase is just right decide ... "nah I'm not booting anymore. I'll just switch to the backup bios until you do a funny little dance rebooting me over

      • I can second this. I had a Gigabyte mobo that bricked because the company mixed up their model line and literally put the wrong firmware image for my board on their web site. Since the new firmware had a valid checksum, but was wrong for that motherboard, the "Dual BIOS" feature wouldn't work and the board was dead. I fixed it by de-soldering and swapping the firmware chips. I never dared to apply another update.

        It wouldn't have been a big deal if they gave you more control over the boot process, such a

        • Mine had a socketed secondary chip, which didn't help because if you booted from the secondary chip there was (at the time) no way to flash the primary chip. The entire Dual BIOS implementation was always incredibly useless.

    • I used to only purchase Tyan board for the many builds I did for people back in the late 90'/early 2000s until they stopped making consumer boards. They were the best motherboards back then and priced mostly the same as other brands. I still have a few of those Trinity and Tiger boards laying around and they still work.
  • by gillbates ( 106458 ) on Tuesday January 17, 2023 @12:51PM (#63216974) Homepage Journal

    How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?

    Why do companies believe they have the right to tell me what I can and cannot do with my own computer?

    • by Junta ( 36770 ) on Tuesday January 17, 2023 @01:46PM (#63217144)

      Well, ideally, it's a choice.

      You can disable SecureBoot to boot your own compiled kernel.

      You can leave it enabled but put your own keys, to let you compile your kernel, potentially do it in a way that keeps the private signing key elsewhere.

      You can leave it at defaults and boot *most* things people would want to boot (Windows, RedHat, Centos, Rocky, Alma, Oracle Linux, Fedora, Ubuntu, Suse, LEAP, probably more).

      If something hypothetically tries to insert itself between your kernel and the platform, then it will hopefully work to mitigate that.

    • Re: (Score:1, Insightful)

      by thegarbz ( 1787294 )

      How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?

      It's not. The owner is in full control, always have been. The sky didn't fall. Linux didn't stop working, and basically everything the anti-secure boot FUD spreaders have said has simply not happened.

      The defect here is that the feature for those people who *want* to use it, doesn't work as intended.

      Shame on whomever modded you up.

      • Clearly you don't remember how Microsoft broke it the very first week, and aren't aware that it still doesn't work on numerous devices in the wild. Sure, the sky didn't fall, but it's disingenuous to say the things the "FUD spreaders" said would happen didn't, because every single one of their predictions absolutely did come true, if not on the scale or for the duration of time they said it would.

      • by Junta ( 36770 ) on Tuesday January 17, 2023 @03:36PM (#63217522)

        To be fair, it did come to pass, but not significantly on x86. The Surface RT did not actually allow SecureBoot disable.

        Surface Pro default doesn't allow 3rd party OSes at all, but does allow you to enable 3rd party. It does also permit disabling SecureBoot.

        So there is still room to worry that devices will exist that use this to prevent non-Microsoft OSes, but so far MS hasn't gone that far on x86 devices...

        • As part of Microsoft's Designed for Windows certification requirements a system *must* allow both secure boot to be disabled, and custom keys to be installed. This is the case with the Surface Pro as well. Expecting a user to install an OS without ever touching a UEFI settings is a fantasy as they will need to in many cases enable booting from external media in the first place.

          but so far MS hasn't gone that far on x86 devices...

          Not only not gone that far, they turned around and walked backwards. In addition to the requirements above, MS actually certifies 3r

    • by tlhIngan ( 30335 )

      How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?

      SecureBoot is an option. You can enable and disable it at will, even on PCs that come shipped with Windows. Disable it and Windows will refuse to do some things, but you can, and always could, install whatever the heck you wanted on it. It was something Microsoft made mandatory - that all x86 platforms supporting UEFI must allow you to disable

    • How much have we succumbed to corporate greed when a feature which allows the owner of a computer to load an operating system of their choice is considered a defect?

      Fair point, but it was lost in the masses represented below.

      Why do companies believe they have the right to tell me what I can and cannot do with my own computer?

      There are dozens of laws, regulations, and inspectors between you and that legitimate set of brake rotors purchased from a licensed local dealer that you're going to put on your car yourself. You trust that the process securing your purchase of a genuine product and not some illegal chunk of recycled donkey shit and junk ore, is intact and prevents customers from inadvertently harming themselves or loved ones.

      Now, take a good look to the left an

  • What a disaster (Score:5, Interesting)

    by lsllll ( 830002 ) on Tuesday January 17, 2023 @12:51PM (#63216976)
    I don't know of anybody who has been in favor of UEFI, least of all techy folks. I understand the idea behind secure booting and where they were going with it, but if I have physical access to the hardware, all bets, with the exception of whole disk encryption, are off.
    • by Anonymous Coward

      Plenty of fanbois, but it matters little: "The Industry" (for which read: microsoft) thinks it's a good idea, therefore it happened. That this can be is quite interesting (in the Chinese sense) on its own already.

    • Re:What a disaster (Score:5, Informative)

      by Fly Swatter ( 30498 ) on Tuesday January 17, 2023 @01:18PM (#63217058) Homepage
      I don't mind UEFI compared to legacy BIOS, it solves a lot of problems. It's like GPT is a big leap over MBR.

      Please don't confuse EUFI with secure boot. Secure boot just happens to be a feature that can (usually) be turned off if you don't need it.
      • by dargaud ( 518470 )
        I long thought there were absolutely no advantages to running UEFI with Linux, but recently (yeah, took me a long time) I discovered you can upgrade BIOS version directly from Linux in UEFI mode on most systems, while it is sometimes impossible in Legacy mode (even booting from a USB key, I'm looking at you HP).
        • I long thought there were absolutely no advantages to running UEFI with Linux, but recently (yeah, took me a long time) I discovered you can upgrade BIOS version directly from Linux in UEFI mode on most systems, while it is sometimes impossible in Legacy mode (even booting from a USB key, I'm looking at you HP).

          2TB isn't big enough for everybody. That's just one of soooo many reasons.

          There is a whole world of OS-firmware integration possibilities that you're just scratching the surface of, like how well does your kernel, grub, and BIOS actually know which storage device was booted from? Does grub enumerate devices the same as BIOS? Does the kernel enumerate devices the same as grub? From user space can you tell your bios to target a different device on next boot? Can your firmware or boot loader boot from a f

          • by dargaud ( 518470 )

            Imagine firmware that understood advanced filesystem features, with an interactive CLI, that can actually talk to the hardware on your system instead of rebooting and pressing Fsomethingelse to get the network card's firmware.

            I'm moderately proficient on Linux, and I've written device drivers and bootloaders for custom embedded system. My take on it was to do the strict minimum in the bootloader and then offload the rest of the heavy lifting to the kernel. Wouldn't what you envision be opening a whole new surface attack for vulnerabilities ?!?

    • Re: (Score:3, Informative)

      by thegarbz ( 1787294 )

      but if I have physical access to the hardware, all bets, with the exception of whole disk encryption, are off.

      Indeed, so you got whole disk encryption and you're safe. Now the question is, do you have UEFI SecureBoot enabled, or are you leaving yourself open to someone installing a rogue malware faking a boot process and passing off to windows which can then run in the background to steal your password (you know, the one you use for your precious full disk encryption). Your full disk encryption is worthless if someone can execute arbitrary code without your knowledge on your machine. You'll just hand him the keys.

      N

      • by lsllll ( 830002 )
        If I suspect the machine may have been compromised, I wouldn't just enter my keys and decrypt the containers. I'd be booting Linux from a USB stick and checking things out. And of course there's the possibility that the machine may have been compromised, but UEFI doesn't necessarily prevent that. You make it sound like UEFI doesn't have its own vulnerabilities.
    • I don't know of anybody who has been in favor of UEFI, least of all techy folks. I understand the idea behind secure booting and where they were going with it, but if I have physical access to the hardware, all bets, with the exception of whole disk encryption, are off.

      Popular opinions among "techy folks" are why we can't have nice things. Do you know anybody with any experience with non-x86 firmware at all? Like what was EFI competing against, or inspired by, for example? There are many nice things you will never have by sticking with old 16-bit BIOS. If you don't understand it, how can you have an opinion? But hey, that's how IT works, or doesn't, it's not just you.

      That's not even what Secure Boot is for, it's to secure the boot loader, which can secure the kernel, whic

    • Comment removed based on user account deletion
  • The whole point of this was to keep people from installing Linux.

    I used to be able to tell somebody how to get into the bios remotely over the phone without being there.

    They used to have somewhat standard hotkeys. Boot from other media, without adjusting any settings.

    After the transition, every single system seems to have its own design of how secure boot works. Some systems you can get to a shell other systems you cannot. It seems like a bunch of dangerous sounding options are forcefully put right next to

    • The whole point of this was to keep people from installing Linux.

      Complete FUD since most Linux distributions are signed, and one of the requirements for secure boot was the ability to a) turn it off, and b) allow uploading of custom keys.

      Not sure if there was anything of value in the rest of your post, but with an opening like that it was unlikely worth reading. Now go put your tinfoil hat back on.

      • Re:What is the point (Score:4, Informative)

        by mysidia ( 191772 ) on Tuesday January 17, 2023 @03:50PM (#63217576)

        Complete FUD since most Linux distributions are signed, and one of the requirements for secure boot was the ability to a) turn it off, and b) allow

        Not FUD. Deploying custom keys are beyond the technical aptitude of the average user - it's certainly Not possible to do from an Install CD. They have created a major impediment against users exercising the freedom to install anything other than a MS-sponsored OS.

        For example they Won't sign Grub [microsoft.com] the Linux bootloader - Code that is subject to such a license that has already been signed might have that signature revoked. For example, GRUB 2 is licensed under GPLv3 and will not be signed..

        • by bws111 ( 1216812 )

          More FUD. What "average user" is going to install something other than Windows or a Linux distribution that has a shim already signed by Microsoft? And if you do need to use custom keys for some reason, it is easy to do. 1) Enter UEFI mode and select 'clear secure boot variables'. 2) Boot install CD. Install CD sets all the required keys. 3) Reboot into UEFI and select 'Enable secure boot'. Gee, that was tough, and obviously way beyond the abilities of the 'average user'.

          The reason they won't sign GPL

        • Deploying custom keys are beyond the technical aptitude of the average user

          The average user is not playing with Linux systems that require deploying custom keys. The average user is installing popular Linux distributions that very much are signed and as complex to install as popping in the installation media.

          You're spreading FUD. If you're competent enough to play with custom OSes rather than popular OSes for the masses, you're competent enough to either disable secure boot or load a custom key. The average user is unaffected by this.

  • I like being able to run any operating system. Sounds like a good thing.

    • I like features working as intended. If you like running anything you want then use the feature that allows you to turn secure boot off, or the feature to upload keys from your other operating systems. There's nothing good about celebrating a security feature optionally available to you being broken.

  • TFA (Score:5, Informative)

    by Voice of satan ( 1553177 ) on Tuesday January 17, 2023 @02:51PM (#63217372)

    I have read TFA and this is just a default setting. Secure boot options can still be set up so you can cripple your system if you desire.

  • by mysidia ( 191772 ) on Tuesday January 17, 2023 @03:45PM (#63217560)

    Please never "FIX" this... Also, please let me know what model motherboard is affected? Because I think I might like to buy a few.

    • by bws111 ( 1216812 )

      Why the fuck would you not want secure boot to work if you have enabled it?

      • by mysidia ( 191772 )

        So we can Dual boot versions of Windows which have put on the label that Secure Boot with MS keys is mandatory and systems with SecureBoot disabled are Unsupported.

      • Comment removed based on user account deletion
        • So you live in some fantasy world where the only way a machine can be compromised is by physical access. Must be nice. In the real world, there are occasional vulnerabilities that allow privilege escalation and modification/replacement of files. One such file could be the kernel.

          Even mainframes have secure boot, and I can guarantee you nobody is watching blu-rays on those. Of course, people running mainframes are generally actually concerned about security.

        • And it's not doing GNU/Linux any good that you have to disable it on most computers

          You don't have to do anything of the sort. All popular Linux distros have secure boot keys and are cross signed, so you don't actually need to do anything in your UEFI settings to get them to run.

          Other than enable booting from USB stick which isn't the default on most systems either.

  • The GitHub page says my board is unaffected but, according to MSI, the latest BIOS (11/2022) "changes the default setting for Secure Boot".

"Hello again, Peabody here..." -- Mister Peabody

Working...