I would never buy a MSI laptop. It would be a dumb decision and MSI doesn't support Linux in anyway.
It is much better to buy a Dell, HP or system76 laptop which have companies that actually support Linux and make sure their hardware works!
Such as the Dell XPS series which you can buy with Ubuntu, or the HP Dev One which comes with Pop! OS.

Lenovo supports Linux too, including the LVFS

None of mentioned linux laptops are even in the same price range. You can get by specs way more impressive MSI laptop then any of those companies. Linux support comes at the cost, + MSI is mostly gaming company, there is less interested in gaming company to professionally support linux. But it is worth noting that nothing MSI does is out of ordinary and some of those features do work (I think by UEFI bits?).

Eg. integrated webcam example (from github project) :
Funny thing on my old MSI laptop on linux the function key FN+(I think F5) worked out of box on ubuntu. Sure i couldn't disable the function key behaviour but FN+F5 worked to disable and enable integrated webcam. And If that works, remaining parts i would say is not necessery (and those driver provide). Default fan control on my laptop also was good enough, I wouldn't change it, and all default(generic) tools to turn power safe features from Intel and Nvidia also worked.

From all what driver provides only 2 things sound interesting:
msi-ec/battery_mode​ - yup i could benefit from forcing maximum 80-90% charge to prolong longevity, but i doubt most companies allow such thing
/msi-ec/shift_mode​ - i wonder if it works better then Intel/Nvidia power saving settings, but i hope so! Also again i wonder which of companies above allow laptop to underclock and undervolt and which ones allow overclocking it (LOL).

Edit: Keep in mind for some reason coreboot chosen ... MSI motherboard as early adopter for some of their stuff. In laptop space I hate the most companies that do something special about their hardware, and after they don't provide drivers/support around them. In MSI so far everything generic just works. MSI bios updates can be done without reliance on windows, and looking in general over internet pretty much everything works out of box, and MSI bios allows you to for example underclock/undervolt etc. People over internet don't complain about battery life and in general reddit etc is full of positive opinions.

Only if you ignore that MSI won't help you if you tell them you're using Linux on the system when you request support. They'll immediately blow you off and ignore any problems you expose even if they potentially affect Windows users. I know because I've had to deal with their 'support' team twice with bugs in their firmware. MSI's version of secure boot is also broken by default. They've doubled down on it not being an issue instead of fixing the problem, confirmed in the most recent firmware update from February '23 on my MSI X570 board. If you care about boot chain integrity and general security, this should be enough to avoid MSI products entirely. There's plenty of reasons not to like MSI. So, regardless of what you think you've seen about MSI on "the Internet", things aren't at all rosy with MSI regardless of your OS choices. These may be issues you don't care about. That's fine, it's your money. But please don't blow off the opinions of people in which issues like active and responsive product support and device security does matter.

Edit to add: UEFI encapsulation is the default method for system board firmware updates these days. So, as a general rule any board that uses UEFI doesn't really need Windows to update itself. It's all done internally and can be triggered by a key sequence in the POST screen.

All of these software defined keys are frustrating. Asus, MSI, Dell... can be an adventure figuring out what will and won't work with any given distro or kernel version (Asus, I'm looking at you with your keyboards that are "any key to shut down" pre kernel 6.something...). I miss the physical trackpad on/off button and wifi switch of my first laptop.

I've dealt with MSI support for a faulty 3080Ti and had no issues at all. But my cousin has had very poor experiences of their support. To be honest support from all of the major manufacturers can be a bit hit or miss - I've had both good and bad experiences from Acer, Asus, Gigabyte, Dell, HP, Supermicro, MSI, Maxtor, Western Digital, Toshiba... about the only hardware company I can say I've only had negative experiences of their tech support is Seagate, and that's because the two times I've needed their tech support were such a colossal headache I've just avoided them since.

To my knowledge they do not prevent you from locking it down and making safe, so while it is definitely something to be aware of, it's just another on a long checklist of items to go through when building or setting up any new system. Although I would have preferred that they make slightly more of the fact that that is the default.

The same can be said of pretty much every company anyone has ever had a bad experience with.

Do you seriously believe forcing people to deny execute by default on AIB motherboard that in 99% of cases will be used by each user individually or by some smaller system builder that you know should validate if configuration works, othen by tools that do not support secure boot (for obvious reasons). Responsbility of BIOS settings falls onto system builder, It is like saying "Hey you don't have XMP/A-XMP by default enabled". Guess what they cannot enable by default but if I saw this not enabled on someone's custom computer, I would laugh at that person - it is your responsibility.

Like literally look at security researcher recommendation
Guess who has to use removable media to install new OS, that's right you, what you exactly do when you get motherboard from shop. Changing this setting by default would be stupid as you would have to allow execution and after disable it again. And at that point it is your responsibility.
The valid concern is that most MSI manuals lack proper instructions to do so. Also none of laptops are mentioned in that research (I wonder why, that is right because with preinstalled OS diffrent defaults are sane!)
Also i am talking about what stuff are in UEFI, like function keys. Lenovo commonly installs own bloatware to make function keys work, MSI has them without bloatware at hardware level.

It's out of spec, disables a layer of security, and MSI doesn't tell you the default is useless for its intended purpose. Seriously, it can't be any more clear this is broken. I can turn your argument right around on you and point out that only a few OSes don't have signed secure boot chains (Pop-OS springs to mind) so there is no real point to having this turned off (especially since, to turn your argument around again, people looking to install such an OS should already know they need to turn off SB)- except if you're intentionally (or extreme incompetence) setting up your customers for root kit compromises because they'll never know that's the case with this setting without extraordinary measures. No one is 'forcing' anyone to do anything although I do wish it were possible to force people to stop being stupid over security features that are safer when active than off and allows people the option to turn them off if necessary. I so cry that a tiny minority of people should have to turn off SB when the vast majority of people do not (99% or more of MSI customers wouldn't have to turn it off) - and would be safer if the default wasn't stupidly insane.

Should add that the third reason, not informing the customer of a known (to the vendor) very real risk, is nearly always the famous last words just before a jury finds for the customer in a wilful negligence case.

Pity, looks like another company that gets to benefit from the skill of well-meaning open source software developers, without contributing anything in return.
The only upside to this is that if MSI didn't develop it, they probably won't advertise with it either, so people won't buy a laptop from them with the intention of installing linux (unless they already have one and it's convenient).
As much as I hate paying the premium, morally i feel as though my next laptop should be a system76 one or whatever other brand that actually contributes something to linux. Anything that actually benefits linux development, instead of just rides along on it's success

No, you can't make it "safe". MSI motherboards lack basic protections (like every other motherboard maker, because they do not care and Intel and AMD don't have the balls to force them), which means that you are able to flash the firmware from the OS. Flashing the firmware will reset firmware settings, including Secure Boot settings. So all you have to do as an attacker is update user's firmware from the OS and you just bypassed Secure Boot without even having to mod the firmware.

MSI told me that they allow flashing from the OS because:

It's not like you can do it in a safer manner… oh right, you can, but that requires *some* effort.

I don't think it's out of spec, at least EDK II config file doesn't claim that for the setting MSI chose (which it does for other 2 options).


This is not to say that this is okay as a default configuration. The only hope of making MSI fix it is by removing these options from EDK II (which isn't that crazy of an idea and might actually work) or Intel/AMD forcing them to.

"99%" of users will only ever run Windows which… supports Secure Boot OOTB… so…

Thankfully you know how well this configuration works and you surely know that GRUB will refuse to boot the OS if this configuration is used, because it assumes that shim should be available when Secure Boot is enabled and if a distro doesn't support Secure Boot, it's not using shim.

Microsoft wouldn't even allow it, probably.

I have asked them twice why they haven't mentioned it anywhere and they ignored it, twice. What's interesting is that even the store pages of their 2022 Q4 motherboards were talking about Secure Boot and its benefits and didn't mention the defaults.

I tried hard convincing them to fix this crap, but they won't. They even tried obscuring the settings more. They sent me a test firmware with "Target OS" option which had "Non-UEFI OS" (????? how can you even have Secure Boot without UEFI???) and "Windows OS". It defaulted to "Non-UEFI OS" which actually meant "Allow Execute on security violations" and "Windows OS" was "Deny Execute on security violations".

For more background visit these 2 posts I wrote:
- https://dawidpotocki.com/en/2023/01/...insecure-boot/
- https://dawidpotocki.com/en/2023/02/...e-boot-part-2/ (MSI's responses included)