secure those boots —
The shortcoming has left users susceptible to malicious bootloaders for 18 months.
– Jan 20, 2023 11:00 pm UTC
Secure Boot is an industry standard for ensuring that Windows devices don’t load malicious firmware or software during the startup process. If you have it turned on—as you should in most cases, and it’s the default setting mandated by Microsoft—good for you. If you’re using one of more than 300 motherboard models made by manufacturer MSI in the past 18 months, however, you may not be protected.
Introduced in 2011, Secure Boot establishes a chain of trust between the hardware and software or firmware that boots up a device. Prior to Secure Boot, devices used software known as the BIOS, which was installed on a small chip, to instruct them how to boot up and recognize and start hard drives, CPUs, memory, and other hardware. Once finished, this mechanism loaded the bootloader, which activates tasks and processes for loading Windows.
The problem was: The BIOS would load any bootloader that was located in the proper directory. That permissiveness allowed hackers who had brief access to a device to install rogue bootloaders that, in turn, would run malicious firmware or Windows images.
When Secure Boot falls apart
About a decade ago, the BIOS was replaced with the UEFI (Unified Extensible Firmware Interface), an OS in its own right that could prevent the loading of system drivers or bootloaders that weren’t digitally signed by their trusted manufacturers.
UEFI relies on databases of both trusted and revoked signatures that OEMs load into the non-volatile memory of motherboards at the time of manufacture. The signatures list the signers and cryptographic hashes of every authorized bootloader or UEFI-controlled application, a measure that establishes the chain of trust. This chain ensures the device boots securely using only code that’s known and trusted. If unknown code is scheduled to be loaded, Secure Boot shuts down the startup process.
A researcher and student recently discovered that more than 300 motherboard models from Taiwan-based MSI, by default, aren’t implementing Secure Boot and are allowing any bootloader to run. The models work with various hardware and firmware, including many from Intel and AMD (the full list is here). The shortcoming was introduced sometime in the third quarter of 2021. The researcher accidentally uncovered the problem when attempting to digitally sign various components of his system.
“On 2022-12-11, I decided to setup Secure Boot on my new desktop with a help of sbctl,” Dawid Potocki, a Poland-born researcher who now lives in New Zealand, wrote. “Unfortunately I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not. It wasn’t the first time that I have been self-signing Secure Boot, I wasn’t doing it wrong.”
Potocki said he found no indication motherboards from manufacturers ASRock, Asus, Biostar, EVGA, Gigabyte, and NZXT suffer the same shortcoming.
The researcher went on to report that the broken Secure Boot was the result of MSI inexplicably changing its default settings. Users who want to implement Secure Boot— which really should be everyone—must access the settings on their affected motherboard. To do that, hold down the Del button on the keyboard while the device is booting up. From there, select the menu that says SecuritySecure Boot or something to that effect and then select the Image Execution Policy submenu. If your motherboard is affected, Removable Media and Fixed Media will be set to “Always Execute.”
To fix, change “Always Execute” for these two categories to “Deny Execute.”
In a Reddit post published on Thursday, an MSI representative confirmed Potocki’s findings. The representative wrote:
We preemptively set Secure Boot as Enabled and “Always Execute” as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are highly concerned about security, they can still set “Image Execution Policy” as “Deny Execute” or other options manually to meet their security needs.
The post said that MSI will release new firmware versions that will change the default settings to “Deny Execute.” The above-linked subreddit contains a discussion that may help users troubleshoot any problems.
As mentioned, Secure Boot is designed to prevent attacks in which an untrusted person surreptitiously gets brief access to a device and tampers with its firmware and software. Such hacks are usually known as “Evil Maid attacks,” but a better description is “Stalker Ex-Boyfriend attacks.”