The Polish student Dawid Potocki reports on a security problem that apparently affects hundreds of mainboards from the manufacturer MSI. These have a default BIOS setting that allows running unsigned operating systems despite the activated Secure Boot function.
In his personal blog, Potocki describes the problem in detail. Accordingly, the setting “Image Execution Policy -> Always Execute” active. This allows the execution of any images of an operating system, even if they are not signed at all. Without looking at the submenu, Secure Boot is practically not used despite activation in the BIOS.
…but the submenu allows all images to be run (Image: Dawid Dawid PotockiPotocki )Secure Boot briefly explained
Microsoft describes the function as follows: “Secure Boot is an important security feature that prevents malware from loading when the PC starts (boots)”. The feature is part of the UEFI specification and is intended to guarantee the authenticity of software such as the boot program of operating systems or drivers loaded when the system starts, so that no manipulated and potentially harmful software is executed. This enables protection against so-called rootkits, for example.
Potocki's discovery
As early as December, Dawid Potocki tried to set up Secure Boot on his desktop PC with an MSI mainboard and found that it was possible to run any image despite activation. After investigations, Potocki came to the conclusion that when MSI made a firmware change (BIOS update), the said "Image Execution Policy" to the value “Always Execute”.
Only by manually setting the “Deny Execute” setting for “Removable Media” and “Fixed Media” would Secure Boot actually work.
Allegedly affected Motherboards
Potocki's published list of allegedly affected MSI motherboards is long and available on Github. As Bleeping Computer reports, it should include 290 models. These include newer models in which all BIOS versions are affected. Of the much larger number of older models, only those with a newer BIOS are affected.
Furthermore, MSI laptops should not have such a problem with Secure Boot and other mainboard manufacturers have also reported this Potocki hasn't found anything yet.
According to his statements, he has already contacted MSI via various communication channels about the problem, but has not yet received an answer.
The editors would like to thank “Euphoria” for pointing this out to us.