Stories
Slash Boxes
Comments

SoylentNews is people

The Fine print: The following are owned by whoever posted them. We are not responsible for them in any way.

Journal by AnonTechie

Nearly 300 MSI motherboards will run any code in Secure Boot, no questions asked
'I believe they made this change deliberately' claims researcher

The Secure Boot process on almost 300 different PC motherboard models manufactured by Micro-Star International (MSI) isn't secure, which is particularly problematic when "Secure" is part of the process description.

Dawid Potocki, an open source security researcher and student based in New Zealand, found last month that some MSI motherboards with certain firmware versions allow arbitrary binaries to boot despite Secure Boot policy violations.

Secure Boot is a PC security standard intended to ensure that devices boot only software trusted by the maker of the hardware. The device firmware is supposed to check the cryptographic signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system. That's the theory, anyway.

The Register

Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday January 17 2023, @10:05PM

    by Anonymous Coward on Tuesday January 17 2023, @10:05PM (#1287268)

    Go out and buy an MSI motherboard, and you can run the OS of your choice.

  • (Score: 0) by Anonymous Coward on Wednesday January 18 2023, @02:31AM (7 children)

    by Anonymous Coward on Wednesday January 18 2023, @02:31AM (#1287295)

    Three hundred motherboards, or three hundred models of motherboards? How many motherboards does MSI make, anyway? (And, no, I did not read beyond the initial sentence. No true Soylentil would RTFS. )

    • (Score: 4, Informative) by canopic jug on Wednesday January 18 2023, @03:37AM (6 children)

      by canopic jug (3949) Subscriber Badge on Wednesday January 18 2023, @03:37AM (#1287309) Journal

      The number refers to motherboard models, so that would be a very large number of actual motherboards. From the not-so-fine article:

      The Secure Boot process on almost 300 different PC motherboard models manufactured by Micro-Star International (MSI) isn't secure, which is particularly problematic when "Secure" is part of the process description.

      The article misses the main point, that "Secure boot" is a misnomer anyway. Restricted boot is a better name for what it does. It has little to nothing to do with actual security (availability, integrity, confidentiality) and everything to do with ensuring that the m$ monopoly over the Original Equipment Manufacturers (OEM) extends to the operating systems allowed on the hardware sold, even after-market.

      For now, it has been possible to turn off restricted boot in UEFI (an operating system of its own) and install the operating system of your choice. But that's only for now. The option to turn off restricted boot has been vanishing and be universally replaced with always-on settings. Because a small and shrinking number of the population understand computer systems, this incident will simply accelerate its removal out of misguided concerns for "muh securiddy". Worse, few politicians and even fewer actual policy makers have spoken up even once about this threat. It's off the radar. Heck, even the FSF has been dead quiet about this for a long time, aside from one campaign a very long time ago which counterproductively quoted the very same troll, Garrett, who got m$ off the anti-trust hook in this question [fsf.org] and now cites a corporate propaganda page on it in "Wikipedia". Looking back, one of the other mistakes the FSF made there was lobbying to the population instead of also hiring professional lobbyists to represent the campaign to congress.

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 3, Interesting) by RS3 on Wednesday January 18 2023, @06:48AM (5 children)

        by RS3 (6367) on Wednesday January 18 2023, @06:48AM (#1287324)

        Some years ago, 10-15 IIRC, I had some need to fix some BIOS problems and found several BIOS editors. It was pretty amazing what you could do in some cases, and what you could not do in others. Much depended on who wrote the base BIOS (Phoenix, AMI, Award...). It may be difficult to find such tools now- I haven't tried. But I've been wondering if I could remove the UEFI stuff, in case they do like you mention and force UEFI boot.

        AFAIK most Linux distros will install and boot into UEFI systems. Please anyone let me know if I'm wrong. From a very little searching some references suggest systemd is required to boot into UEFI.

        I have to wonder if MSI was quietly letting these ship so people could install OSes without the added and completely unnecessary hassles of UEFI. If I had one of these boards, I might not update the BIOS...

        • (Score: 3, Informative) by canopic jug on Wednesday January 18 2023, @07:43AM (1 child)

          by canopic jug (3949) Subscriber Badge on Wednesday January 18 2023, @07:43AM (#1287327) Journal

          Some GNU/Linux systems have a shim [ubuntu.com] which has been signed by m$ so that m$ allows the rest of the operating system to load. Otherwise you have to turn off restricted boot in order to use the system. You get that far only because m$ lets you. In order for manufacturers to be allowed a Windows sticker on their devices, they must have restricted boot in place. Certainly the excuses offered in support of UEFI over normal BIOS turned out to all be lies or, at best, mistakes. It'd be a matter for the antri-trust division of the US DOJ but for one weasel.

          It may be difficult to find such tools now- I haven't tried. But I've been wondering if I could remove the UEFI stuff, [...]

          There are two such projects to replace the specialized, complex, and insecure UEFI operating system which has replaced the old, simple BIOS:

          I hope I am wrong but I got the impression that they are both one-person projects, or too close to being that. However, they are not any less important for that.

          --
          Money is not free speech. Elections should not be auctions.
          • (Score: 2) by Freeman on Thursday January 19 2023, @10:43PM

            by Freeman (732) on Thursday January 19 2023, @10:43PM (#1287638) Journal

            I'll just leave this fine XKCD here, for your enjoyment:
            "Dependency"
            https://xkcd.com/2347/ [xkcd.com]

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 1, Interesting) by Anonymous Coward on Wednesday January 18 2023, @02:33PM (2 children)

          by Anonymous Coward on Wednesday January 18 2023, @02:33PM (#1287356)
          With my previous aging PC, using the BIOS settings I could increase the refresh rate of my RAM (reduce the time between RAM refreshes)- this in theory would lower performance, but I found I gained stability (got much fewer BSODs - zero or near zero actually).

          Don't see such stuff for my new PC which doesn't seem as stable - maybe Windows 10 AND 64GB of non ECC RAM has something to do with it (I did want ECC RAM but didn't manage to get it).
          • (Score: 2) by RS3 on Wednesday January 18 2023, @05:52PM

            by RS3 (6367) on Wednesday January 18 2023, @05:52PM (#1287390)

            I've had quite a few RAM failures recently. I feel like my various systems' RAM was good for many many years, but in the past year or so I think I found 5 SODIMM and DIMM failures, all in newer systems. I don't remember if those systems had settable RAM timings, but if they did, and I had time to kill, it would be interesting to change the timings and see if the RAM would pass the tests. Could RAM quality be going downhill? They weren't the best RAM brands.

            Have you run memtest86?

            Most BIOSes won't let you change RAM access timings. I applaud ones that will. Most of your better motherboards give you that control. I'd venture that any sold as "gaming" will have lots of settings. I've even seen MB master bus clock adjustable right in the BIOS. I remember one system that would let you push the clock speed, and if it crashed, the BIOS would automatically lower the speed to stock on reboot. The motherboard that has your back.

            Not sure about ECC- not all motherboards "support" it.

          • (Score: 1, Interesting) by Anonymous Coward on Wednesday January 18 2023, @07:05PM

            by Anonymous Coward on Wednesday January 18 2023, @07:05PM (#1287408)

            With my previous aging PC, using the BIOS settings I could increase the refresh rate of my RAM (reduce the time between RAM refreshes)- this in theory would lower performance, but I found I gained stability (got much fewer BSODs - zero or near zero actually).

            It's very likely that this problem has nothing whatsoever to do with your RAM refresh you just need to replace failing capacitors on the motherboard. This is the most common failure mode on old PCs in my experience, especially if your board dates from the mid-2000s capacitor plague, often manifesting with intermittent stability problems like you describe.

  • (Score: 1, Touché) by Anonymous Coward on Wednesday January 18 2023, @02:51PM

    by Anonymous Coward on Wednesday January 18 2023, @02:51PM (#1287360)

    MSI is evil, only NSA's certified backdoors should be allowed by default...

    Like Intel and AMD's "Management Engines" for example. Or Windows 10/11 (which regularly talks to NSA friendly parties).

    With MSI's current behavior someone could install an OS from China with Chinese backdoors! Or a tampered version of Windows 10 from China!

    OMG this is an amazingly huge vulnerability! It's so dangerous! /s

    Seriously though, even with the boot restrictions enabled, you could still end up with Chinese backdoors. The boot restrictions do NOTHING vs wordpress, browser, MS, PHP, OS, etc exploits. All they do is just ensure that only certain Operating Systems can be booted up - they do not make those OSes more secure, if those OSes are filled with holes they remain filled with the same holes.

(1)