MSI breaks Secure Boot on hundreds of motherboards

An insecure default UEFI Secure Boot settings setting that permits any operating system image, regardless of its missing or wrong signature to run on more than 290 MSI motherboards is reportedly causing the problem.

Dawid Potocki (a Polish security researcher) discovered the truth. He claims that no response was received despite trying to reach MSI and tell them about his issue.

Potocki says the issue affects many Intel- and AMD-based MSI motherboards. It also impacts brand-new MSI motherboard models.

Secure Boot by UEFI

Secure Boot, a security function built into UEFI motherboards’ firmware, ensures only signed software (trusted) can be executed during boot.

In an on Secure Boot, Microsoft explains that “When the computer starts, it checks the signatures of every piece of boot code, including UEFI drivers (also called Option ROMs), EFI apps, and the operating systems.”

If the signatures are valid the computer boots and the firmware takes control of the operating system.

Secure Boot verifies the security of OS kernels and boot loaders by checking the PKI (publickey infrastructure). This authenticates software and validates it on each boot.

Secure Boot will stop the boot process if the software signature is not signed or has changed. This could be because the program was altered.

This security system prevents UEFI rootkits/bootkits ( , and HTML3_ 3 ) launching on the computer. It also warns users when their operating system has been altered after being shipped by the vendor.

Default MSI settings cause insecure boots

Potocki asserts that MSI’s firmware version 7C02v3C released January 18, 2022 changed the default Secure Boot setting so that it will still boot if there are security breaches.

I used sbctl to set up Secure Boot on my new computer. “Unfortunately, my firmware accepted every OS image that I provided, regardless of whether it was trusted or untrusted,” the researcher wrote in his .

It wasn’t broken firmware, as I later found out on 2022-12-16. MSI had modified their Secure Boot defaults so that it would allow for booting on security breaches (!!).”.

The Firmware had incorrectly set “Image Execution Policy” to default. This allowed any image to be booted as usual.

Insecure default setting on latest MSI firmware


The image shows that Secure Boot has been enabled. However, the ‘Image Execution Policy’ setting of Secure Boot is set to “Always Execute”. This allows the system to start even when there have been security breaches.

Secure Boot is effectively broken as any untrusted image can be used to reboot the device

Potocki explained that the users need to set their Execution Policy at “Deny Execute”, for both “Removable Media” or “Fixed Media”, which will only permit signed software.

Changing the unsafe option


According to the researcher, MSI did not document the change. He had to track back the introduction and configuration of insecure defaults using IFR (UEFI Interform Representation).

Potocki used the information to identify which MSI motherboards were affected by this issue. contains a complete listing of all 290 affected motherboards by the insecure setting.

You can check the BIOS settings to make sure that your MSI motherboard is safe.

You shouldn’t delay updating your motherboard firmware if you’ve not done so since January 20,22. Software updates provide important security fixes.

BleepingComputer reached out to MSI in an attempt to find out more about the situation and whether MSI plans to modify the default settings via a new update. We are still waiting for a reply.