The changes will allow any operating system image to run regardless of whether it has a wrong or missing signature.
According to Polish security researcher named Dawid Potocki, the problem impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.
Secure Boot is a security feature built into the firmware of UEFI motherboards that ensures only trusted (signed) software can execute during the boot process.
Secure Boot checks the PKI (public key infrastructure) that authenticates the software and determines its validity on every boot. If the software is unsigned or its signature has changed, possibly because it was modified, the boot process will be stopped by Secure Boot to protect the data stored on the computer.
It is pretty effective at stopping UEFI bootkits/rootkits from launching on the computer and to warn users that their operating system has been tampered with after the vendor shipped the system.
But Potocki claims that MSI's firmware update version' 7C02v3C,' released on January 18, 2022, changed a default Secure Boot setting on MSI motherboards so that the system will boot even if it detects security violations.
He found the issue when he tried to setup Secure Boot on my new desktop with the help of sbctl and found his firmware was accepting every OS image I gave it, no matter if it was trusted or not.
This change was to mistakenly set the "Image Execution Policy" setting in the Firmware to "Always Execute" by default, allowing any image to boot the device as normal.
According to Potocki the work around is to set the Execution Policy to "Deny Execute" for "Removable Media" and "Fixed Media," which should only allow signed software to boot.
Potocki then used this information to determine which MSI motherboards were impacted by the issue. A complete list of the over 290 motherboards affected by this insecure setting is available on GitHub.