Security researcher Dawid Potocki discovered that more than 300 motherboard models from MSI do not implement the Secure Boot feature by default, which means that they will allow any bootloader, signed or unsigned, to run. According to an MSI Reddit post, the company says they “preemptively set Secure Boot as Enabled and ‘Always Execute’ as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems.” MSI reportedly plans to release firmware updates that will change the default setting to “Deny Execute.”
Note
- Classic “usability vs security” issue. Disabling full Secure Boot protection will cause more support queries from users attempting to use a boot loader / operating system not sanctioned by MSI or the OEM.
- Organizations count on OEMs to ship their products properly configured. The troubling bit is that this configuration change, made by MSI, resulted in secure boot being irrelevant and users of the product were unaware. Lately, CISA has been talking about shifting the security burden (secure, transparent, and sustainable) from the end user to the vendor. Here’s an example where configuration control processes need to be reinforced and tested prior to shipping, else the security shift can become a potential supply chain attack.
Read more in