If you have an MSI motherboard released in the last few years and have Secure Boot enabled, depending on the firmware version you're using, the feature might not work as you would hope. According to recent findings, almost300 MSI motherboards have a lousy Implementation of the component in select UEFI firmware versions.
Based on Dawid Potocki's investigation (via The Register), many MSI motherboards with specific firmware versions are not working as intended with Secure Boot enabled. When turning on Secure Boot, the default option for the “Image Execution Policy” setting for removable and fixed media should be “Deny Execute”. Instead, the default selection is “Always Execute”, making the Secure Boot feature useless.
To clarify what Secure Boot actually is, it's a security standard created by members of the PC industry to ensure that a device boots using only software trusted by the OEM. When the computer boots, the firmware verifies the signature of all boot software, including UEFI firmware drivers, EFI programs, and the operating system. If the signatures are genuine, the computer boots, and the firmware gives away the control of the system to the OS. With the “Always Execute” option enabled for various media types, the firmware allows the OS to boot without verifying its signature.
The issue seems to affect most motherboards released in the last six years, but only select firmware versions are affected by it. The researcher noted that most are beta BIOS releases. Still, considering they're available to the public, we'd have hoped MSI would offer a warning to its customers. That's, of course, assuming the firmware is released like this with MSI's knowledge. MSI hasn't yet commented on these findings. However, Potocki suspects the company did this intentionally “because they probably knew that Microsoft wouldn't approve of it and/or that they get less tickets about Secure Boot causing issues for their users”.
Discuss on our Facebook page HERE.
KitGuru says: Do you own an MSI motherboard affected by this issue? Have you checked if the BIOS version you're running has a faulty Secure Boot?