Secure boot turns out to be nothing safe, at least so far and from one point, since a bug has been detected in a large number of MSI motherboards that have been dragging precisely this system for a long time. The so-called Secure Boot has a flaw that makes it totally insecure to the point that it doesn’t really work, not verifying the signature of each piece of hardware and software, which leaves the computer sold to an attacker, since the startup keys are not they are loaded as such. The number of affected motherboards is terrible and for now the solution is in our hands, at least until M: YES take out new Firmware for Secure Boot.
Microsoft calls Secure Boot, or Secure Start, a security standard developed by members of the PC industry to help ensure that a device boots. using only software trusted by the manufacturer of original equipment. Therefore, we can understand the seriousness of the matter since this is not being fulfilled.
An MSI firmware changed the Secure Boot settings
It is not that your MSI motherboard is insecure because there is a security problem, a breach as such, calm down, the shots do not go there. It’s just a change in secure boot feature settings that loads any software image, including Windows, without asking for legitimacy, which, now, is a security problem as such.
Explaining the issue on Github, David Potocki, a student, realized the problem when he found that his motherboard firmware did not verify each part of the software and load the OS whether or not it had a valid signature. Pulling the thread he realized that the problem came from a modification that MSI introduced in its firmware for Secure Boot at the beginning of last year and that it had gone unnoticed until now, because everything loads fine, logically.
No secure boot no verification needed, can it be fixed?
Well yes, and in a simple way. You have to enter the Safe Boot BIOS section and then “Image Execution Policy” (Image Execution Policy) after which you have to change the Execute Always parameter to “Deny Execution”.
Once this is done, Secure Boot must be loaded correctly, checking each signature and then the Operating System, performing its corresponding security function. The number of motherboards affected is immense, since they have been counted more than 290 (can be found on the Github link above) and the number is still slowly climbing. It doesn’t matter if your platform is Intel or AMDit is indistinct, the BIOS configuration is wrong for both types of processors and it affects boards of all kinds.
MSI has apparently already been informed, although it has not yet offered a statement, it is likely that in the next firmware they will correct this, since it is something very easy to do. But still, he will have to offer explanations as to why he disabled this very important security feature for any current PC and motherboard, since it leaves users exposed to certain attacks.