About 300 MSI Motherboard Models Have a Faulty Secure Boot Implementation with Certain UEFI Firmware Versions

btarunr · Jan 19, 2023

The UEFI Secure Boot feature is designed to prevent malicious code from executing during the system boot process, and has been a cybersecurity staple since the late-2000s, when software support was introduced with Windows 8. Dawid Potocki, a New Zealand-based IT student and cybersecurity researcher, discovered that as many as 300 motherboard models by MSI have a faulty Secure Boot implementation with certain versions of their UEFI firmware, which allows just about any boot image to load. This is, however, localized to only certain UEFI firmware versions, that are released as beta versions.

Potocki stumbled upon this when he found that his PRO Z790-A WiFi motherboard failed to verify the cryptographic signature boot-time binaries at the time of system boot. "I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not." He then began examining other motherboard models, and discovered close to 300 MSI motherboard models with a broken Secure Boot implementation. He clarified that MSI laptops aren't affected, and only their desktop motherboards are. Potocki says that affected MSI motherboards have an "always execute" policy set for Secure Boot, which makes the mechanism worthless, and theorized a possible reason. "I suspect this is because they probably knew that Microsoft wouldn't approve of it and/or that they get less tickets about Secure Boot causing issues for their users."

View at TechPowerUp Main Site | Source

Space Lynx · Jan 19, 2023

Is SecureBoot on by default on new motherboards? Pretty sure mine says off in the BIOS last time I looked, and that was its default status... hmm is this something I should turn on?

Selaya · Jan 19, 2023

breaking news: snake oil is actually nonfunctional.
duh.

Chaitanya · Jan 19, 2023

Wont be surprised to find Shitsus having even worse security hole in its overpriced garbage ROG boards thanks to firmware phoning home for Armory crate. Now MSI joins Gigabyte and Asus on boards to avoid leaving ASRock the only options with boards for decent value for money.

DrCR · Jan 19, 2023

If it’s indeed an issue with only beta firmware, then this feels like a tempest in a thimble. Props to the dude for self marketing I guess.

Bjørgersson · Jan 19, 2023

How did he test ~300 motherboards?

Chomiq · Jan 19, 2023

Bjørgersson said:
How did he test ~300 motherboards?

Find people with various models and ask them to verify?

Bjørgersson · Jan 19, 2023

Chomiq said:
Find people with various models and ask them to verify?

Fair enough after all.

ncrs · Jan 19, 2023

Chomiq said:
Find people with various models and ask them to verify?

That sounds impractical

I think that an analysis of BIOS update files was performed, especially since the article indicates that only specific versions were affected.

bug · Jan 19, 2023

DrCR said:
If it’s indeed an issue with only beta firmware, then this feels like a tempest in a thimble. Props to the dude for self marketing I guess.

I'm on the fence. Betas come with a risk of unknown issues. However if MSI made these available to the public without mentioning SecureBoot is disabled, they could still be in hot water.

These boards could make interesting candidates for running Win11, I guess.

thewan · Jan 19, 2023

Selaya said:
breaking news: snake oil is actually nonfunctional.
duh.

MSI deliberately made their implementation of secure boot not work on purpose. Its the same as installing a padlock on your gate, but leaving it unlock because you were lazy to lock and unlock it every time you leave your house.

AlB80 · Jan 19, 2023

It's not a bug. It's the feature.

Fouquin · Jan 19, 2023

Chaitanya said:
ASRock the only options with boards for decent value for money.

But according to some users here ASRock is "only for poors who can't afford better." I don't know who to believe anymore, maybe the entire industry is just shit?

bug · Jan 19, 2023

Fouquin said:
But according to some users here ASRock is "only for poors who can't afford better." I don't know who to believe anymore, maybe the entire industry is just shit?

We're down to Asus, MSI, Gigabyte and AsRock. There's no competition anymore, of course everyone will cut corners every now and then. Asus - all about RGB, almost always the most expensive of the bunch, MSI - cheaps out on BIOS size has to remove support for older Zens to enable support for newer ones, Gigabyte - almost no Intel networking, AsRock - nothing special anymore about them, bricked me a motherboard years ago with a misconfigured BIOS. And for all of them, if once some sort of debug LEDs were once present on almost all, but the cheapest motherboards, they're now reserved to the high-end.

Not pretty, but not anything we can do about it either.

DeathtoGnomes · Jan 19, 2023

The NSA is not happy their hacks were found. :rolleyes:

Selaya · Jan 19, 2023

thewan said:
MSI deliberately made their implementation of secure boot not work on purpose. Its the same as installing a padlock on your gate, but leaving it unlock because you were lazy to lock and unlock it every time you leave your house.

my point is, secure boot whether actually functional or not, is snake oil regardless and thus of no (actual value)

INSTG8R · Jan 19, 2023

And here I am on an MSI board I just bought it of necessity and now this…my last BIOS was in April I believe…

ThrashZone · Jan 19, 2023

Hi,
Install 11 and see what happens hell I use workarounds on all new requirements :cool:

TheEndIsNear · Jan 19, 2023

Chaitanya said:
Wont be surprised to find Shitsus having even worse security hole in its overpriced garbage ROG boards thanks to firmware phoning home for Armory crate. Now MSI joins Gigabyte and Asus on boards to avoid leaving ASRock the only options with boards for decent value for money.

Yeah I feel ya there right now. I don't know why I got away from asrock. Never had a problem with them and the features for the money are pretty damn good.

milewski1015 · Jan 19, 2023

It takes all of about 15 seconds to boot into BIOS, navigate to Secure Boot settings, and modify the policy for Fixed Media and Removable Media to "Deny Execute". Did it last night. Problem solved. Whether it actually makes a difference or not though remains to be seen.

Link to the list

INSTG8R · Jan 19, 2023

milewski1015 said:
It takes all of about 15 seconds to boot into BIOS, navigate to Secure Boot settings, and modify the policy for Fixed Media and Removable Media to "Deny Execute". Did it last night. Problem solved. Whether it actually makes a difference or not though remains to be seen.

Link to the list

Crap I made the list…I guess I’ll try what you did and hope for the best. I mean I can’t see getting myself in a situation where I’d be vulnerable but…

NoneRain · Jan 19, 2023

INSTG8R said:
Crap I made the list…I guess I’ll try what you did and hope for the best. I mean I can’t see getting myself in a situation where I’d be vulnerable but…

You already are vulnerable, my friend. You just don't know how, I mean, now you know at least one vul.

R-T-B · Jan 19, 2023

Selaya said:
breaking news: snake oil is actually nonfunctional.
duh.

It's not snake oil exactly. A lot of techies won't use it but it has use cases. An if it isn't working it is an issue.

Juventas · Jan 19, 2023

Bjørgersson said:
How did he test ~300 motherboards?

In his original article he has added this:

I have noticed that some websites have misreported about this issue because they have not fully read my article. This firmware version only affects B450 TOMAHAWK MAX, other motherboards have different versions.

I see this story is everywhere now. Did none of them read the original article? https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/

aQi · Jan 19, 2023

The 300 series faced alot from that of EFI coming from MSI.
My z390 tomahawk still cannot boot from uefi, tried alot of bios versions yet the system kept restarting trying to load windows. Finally kept it aside and saved time with strix z370.

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	Gigabyte B550 AORUS Elite V2
Cooling	DeepCool Gammax L240 V2
Memory	2x 16GB DDR4-3200
Video Card(s)	Galax RTX 4070 Ti EX
Storage	Samsung 990 1TB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

Processor	7800X3D -25 all core
Motherboard	B650 Steel Legend
Cooling	Frost Commander 140
Memory	32gb ddr5 (2x16) cl 30 6000
Video Card(s)	Merc 310 7900 XT @3100 core -.75v
Display(s)	Agon 27" QD-OLED Glossy 240hz 1440p
Case	NZXT H710
Power Supply	Corsair RM850x

Processor	AMD Ryzen R7 5700X
Motherboard	MSI B550 Gaming Plus
Cooling	Alpenföhn Dolomit Premium
Memory	Kingston Fury Beast 16 GB
Video Card(s)	Asus RTX 4070 Dual OC 12 GB
Storage	Kingston Fury Renegade 1 TB, Western Digital Red 2 TB
Display(s)	Dell G2724D
Case	Fractal Design Meshify 2 Compact
Audio Device(s)	Asus Xonar DSX + Microlab B-77
Power Supply	Seasonic Focus GX-550
Mouse	Zowie ZA11
Keyboard	Endorfy Thock TKL Brown
Software	Windows 10 Pro

Processor	Ryzen 7 5800X3D
Motherboard	Gigabyte X570 Aorus Elite
Cooling	Thermalright Phantom Spirit 120 SE
Memory	2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3600 CL14
Video Card(s)	RTX3080 Ti FE
Storage	SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s)	LG 34GN850P-B
Case	SilverStone Primera PM01 RGB
Audio Device(s)	SoundBlaster G6 \| Fidelio X2 \| Sennheiser 6XX
Power Supply	SeaSonic Focus Plus Gold 750W
Mouse	Endgame Gear XM1R
Keyboard	Wooting Two HE

Processor	AMD Ryzen R7 5700X
Motherboard	MSI B550 Gaming Plus
Cooling	Alpenföhn Dolomit Premium
Memory	Kingston Fury Beast 16 GB
Video Card(s)	Asus RTX 4070 Dual OC 12 GB
Storage	Kingston Fury Renegade 1 TB, Western Digital Red 2 TB
Display(s)	Dell G2724D
Case	Fractal Design Meshify 2 Compact
Audio Device(s)	Asus Xonar DSX + Microlab B-77
Power Supply	Seasonic Focus GX-550
Mouse	Zowie ZA11
Keyboard	Endorfy Thock TKL Brown
Software	Windows 10 Pro

About 300 MSI Motherboard Models Have a Faulty Secure Boot Implementation with Certain UEFI Firmware Versions

btarunr

Editor & Senior Moderator

Space Lynx

Astronaut

Selaya

Chaitanya

DrCR

Bjørgersson

Chomiq

Bjørgersson

ncrs

bug

thewan

AlB80

Fouquin

Staff

bug

DeathtoGnomes

Selaya

INSTG8R

Vanguard Beta Tester

ThrashZone

TheEndIsNear

milewski1015

INSTG8R

Vanguard Beta Tester

NoneRain

R-T-B

Juventas

aQi

Processor	Intel i5-12600k
Motherboard	Asus H670 TUF
Cooling	Arctic Freezer 34
Memory	2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s)	EVGA GTX 1060 SC
Storage	500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s)	Dell U3219Q + HP ZR24w
Case	Raijintek Thetis
Audio Device(s)	Audioquest Dragonfly Red :D
Power Supply	Seasonic 620W M12
Mouse	Logitech G502 Proteus Core
Keyboard	G.Skill KM780R
Software	Arch Linux + Win10

System Name	Uzuki Toune
Processor	AMD RYZEN 7 7700X (ASUS PBO 90C Mode)
Motherboard	Asus ROG Strix X670E-E Gaming WIFI
Cooling	Thermalright Frostspirit 140 White V3 ARGB
Memory	32GB DDR6000 CL36 Kingston (EXPO)(16GBx2)
Video Card(s)	Zotac GTX 1050TI
Storage	2TB Kingston KC3000 + 1TB Crucial P2 + 480GB Samsung Evo 850 + 480GB Kingston A400
Display(s)	Dell U2723QE + Philips 221V8 (Portrait)
Case	NZXT H510
Audio Device(s)	Auzen X-FI Forte + Onboard Realtek 4080 -> Creative Gigaworks T40II
Power Supply	EVGA G+ 650W
Mouse	Logitech MX Master 3 (Work) & G103 (Play)
Keyboard	iRocks K71M
Software	Windows 11 Professional

System Name	Dumbass
Processor	AMD Ryzen 7800X3D
Motherboard	ASUS TUF gaming B650
Cooling	Artic Liquid Freezer 2 - 420mm
Memory	G.Skill Sniper 32gb DDR5 6000
Video Card(s)	GreenTeam 4070 ti super 16gb
Storage	Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s)	1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case	Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s)	onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply	Corsair HX1000i
Mouse	Steeseries Esports Wireless
Keyboard	Corsair K100
Software	windows 10 H
Benchmark Scores	https://i.imgur.com/aoz3vWY.jpg?2

System Name	Hellbox 5.1(same case new guts)
Processor	Ryzen 7 5800X3D
Motherboard	MSI X570S MAG Torpedo Max
Cooling	TT Kandalf L.C.S.(Water/Air)EK Velocity CPU Block/Noctua EK Quantum DDC Pump/Res
Memory	2x16GB Gskill Trident Neo Z 3600 CL16
Video Card(s)	Powercolor Hellhound 7900XTX
Storage	970 Evo Plus 500GB 2xSamsung 850 Evo 500GB RAID 0 1TB WD Blue Corsair MP600 Core 2TB
Display(s)	Alienware QD-OLED 34” 3440x1440 144hz 10Bit VESA HDR 400
Case	TT Kandalf L.C.S.
Audio Device(s)	Soundblaster ZX/Logitech Z906 5.1
Power Supply	Seasonic TX~’850 Platinum
Mouse	G502 Hero
Keyboard	G19s
VR HMD	Oculus Quest 3
Software	Win 11 Pro x64

System Name	Ghetto Rigs z490\|x99\|Acer 17 Nitro 7840hs/ 5600c40-2x16/ 4060/ 1tb acer stock m.2/ 4tb sn850x
Processor	10900k w/Optimus Foundation \| 5930k w/Black Noctua D15
Motherboard	z490 Maximus XII Apex \| x99 Sabertooth
Cooling	oCool D5 res-combo/280 GTX/ Optimus Foundation/ gpu water block \| Blk D15
Memory	Trident-Z Royal 4000c16 2x16gb \| Trident-Z 3200c14 4x8gb
Video Card(s)	Titan Xp-water \| evga 980ti gaming-w/ air
Storage	970evo+500gb & sn850x 4tb \| 860 pro 256gb \| Acer m.2 1tb/ sn850x 4tb\| Many2.5" sata's ssd 3.5hdd's
Display(s)	1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
Case	D450 \| Cherry Entertainment center on Test bench
Audio Device(s)	Built in Realtek x2 with 2-Insignia 2.0 sound bars & 1-LG sound bar
Power Supply	EVGA 1000P2 with APC AX1500 \| 850P2 with CyberPower-GX1325U
Mouse	Redragon 901 Perdition x3
Keyboard	G710+x3
Software	Win-7 pro x3 and win-10 & 11pro x3
Benchmark Scores	Are in the benchmark section

Processor	Ryzen 5 5600X
Motherboard	MSI MPG X570S Carbon Max Wifi
Cooling	CPU: bequiet! Dark Rock 4. Case fans: 2x bequiet Silent Wings 3 140s, 2x Silent Wings 3 120s
Memory	2 x 8 GB Patriot Viper Steel DDR4-4400 C19
Video Card(s)	Sapphire NITRO+ RX 5700 XT
Storage	2TB Mushkin Pilot-E M.2, 1 TB SK Hynix P31 M.2, 1 TB Inland Professional, 500 GB Samsung 860 Evo
Display(s)	MSI Optix MAG271CQR 1440p 144Hz, MSI Optix MAG241C 1080p 144Hz
Case	Lian Li Lancool III
Audio Device(s)	Philips SHP9500, V-Moda BoomPro, Sybasonic Better Connectivity USB DAC/Amp
Power Supply	EVGA SuperNOVA G3 80+ Gold 750W
Mouse	Glorious Model D Wireless
Keyboard	Custom Qwertykeys Navy QK80: Sarokeys Strawberry Wine switches, GMK CYL DMG3 keycaps

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	128GB (4x 32GB) G.Skill Flare X5 @ DDR5-4200(Running 1:1:1 w/FCLK)
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

System Name	JUV4
Processor	AMD Ryzen 5 9600X
Motherboard	ASUS Prime B650-Plus
Cooling	Noctua NH-P1 (fanless)
Memory	TeamGroup T-Force DDR5-6000 CL30
Video Card(s)	ASUS ROG Strix GeForce RTX 2070
Storage	Lexar NM790
Display(s)	AOC AGON AG273QX
Case	Thermaltake Core P3 TG (fanless)
Audio Device(s)	Topping DX3 Pro+ with Beyerdynamic Amiron Home
Power Supply	Seasonic Platinum Fanless
Mouse	Logitech G Pro X Ultralight
Keyboard	Durgod Taurus K320 with Cherry Silent Red switches