Originally posted by piotrj3
View Post
Announcement
Collapse
No announcement yet.
MSI Laptops To Enjoy Better Linux Support Beginning With The 6.4 Kernel
Collapse
X
-
Originally posted by stormcrow View Post
It's out of spec, disables a layer of security, and MSI doesn't tell you the default is useless for its intended purpose. Seriously, it can't be any more clear this is broken. I can turn your argument right around on you and point out that only a few OSes don't have signed secure boot chains (Pop-OS springs to mind) so there is no real point to having this turned off (especially since, to turn your argument around again, people looking to install such an OS should already know they need to turn off SB)- except if you're intentionally (or extreme incompetence) setting up your customers for root kit compromises because they'll never know that's the case with this setting without extraordinary measures. No one is 'forcing' anyone to do anything although I do wish it were possible to force people to stop being stupid over security features that are safer when active than off and allows people the option to turn them off if necessary. I so cry that a tiny minority of people should have to turn off SB when the vast majority of people do not (99% or more of MSI customers wouldn't have to turn it off) - and would be safer if the default wasn't stupidly insane.
Should add that the third reason, not informing the customer of a known (to the vendor) very real risk, is nearly always the famous last words just before a jury finds for the customer in a wilful negligence case.
It is about that MSI is not OEM motherboard maker in this case (that makes entire prebuilt) but just a company that makes motherboard! It means after you get one, first thing you do is install OS. And installing OS requires using mostly removable media. And to use it, you have to enable execution on removable media.
Think about it from this perspective:
User buys new motherboard -> User uses removable media to install new OS -> User uses.
From perspective of "secure default" Secure boot it would mean:
User first goes into bios -> changes settings of secure boot to allow execution from removable media -> changes settings to allow execution of non-signed secure boot (for example for old memtest) but I can tell way more examples -> validates it -> installs new OS -> and finally changes secure boot settings to enable validation and deny execution.
Problem is, regardless if MSI out of box chooses to allow execution or deny execution, you are forced to visit BIOS and edit those settings. Those settings are responsibility of user.
In fact Microsoft has interesting quote
The default value (0x00) is ALWAYS_EXECUTE, which does not properly perform verification of signed drivers in Option ROMs for add-in peripherals. This is not an ideal value for any system implementing UEFI Secure Boot functionality.
And the reason is (From MS site)
UEFI drivers are necessary for many of the new firmware level security features as well as to enable UEFI boot sequences. For example, installing Windows from an optical disk which is attached to a non-UEFI compatible storage controller is not possible when a system is booting in UEFI mode when Secure Boot is enabled.
If MSI laptop with preinstalled OS has such defaults, I grab pitchfork with you. But in this case MSI provides you default settings for sake of just building/installing PC, not for using it!
Also on reddit thread i remember that thread being mentioned about secure boot, then people in their custom build use "Deny execute" and... they got black screen with for example AMD RX550 and had to use old nvidia card to boot into system.Last edited by piotrj3; 31 March 2023, 08:22 AM.
- Likes 1
Comment
-
Originally posted by piotrj3 View PostIn fact Microsoft has interesting quote
But you know what is funny? It is default. And it is default for a reason.
2. ASSERT if PCD value is set to 5 (QUERY_USER_ON_SECURITY_VIOLATION). 3. Update override PCD setting from 5 to 4 in platform DSC file. Signed-off-by: Fu Siyuan <[email protected]> Reviewed...
Comment
-
With all the negativity above, we positively like our Modern 15 MSI AMD 5700U powered laptop . KUbuntu 22.04 loaded over the top of Windows and everything i tried worked that we use. And no BIOS changes either to get it to install. Easy peasy as it should be. Stick in the USB stick and install. I also liked the ease of upgrading the hardware also. The laptop back came off easy after removing just a few screws. Added a 1TB SSD (two slots) and upped the memory to 32GB (two slots) and slapped the back back on. I can't complain at all for a home laptop. Priced was right (holiday time frame) too.
As for security, who cares about secure-boot or encrypted drives etc. If someone takes mine, I am just out the laptop -- I wouldn't like it of course, but can be replaced.
Comment
-
Originally posted by rclark View PostAs for security, who cares about secure-boot or encrypted drives etc. If someone takes mine, I am just out the laptop -- I wouldn't like it of course, but can be replaced.
Your take on encrypted drives doesn't make much sense to me either. Do you not have any sensitive information on your device? Encrypting a root partition is very easy with LUKS.
Comment
-
Do you not have any sensitive information on your device?Last edited by rclark; 01 April 2023, 07:11 PM.
Comment
-
Originally posted by dawidpotocki View PostNo, you can't make it "safe". MSI motherboards lack basic protections (like every other motherboard maker, because they do not care and Intel and AMD don't have the balls to force them), which means that you are able to flash the firmware from the OS. Flashing the firmware will reset firmware settings, including Secure Boot settings. So all you have to do as an attacker is update user's firmware from the OS and you just bypassed Secure Boot without even having to mod the firmware.
I remember when BIOS flashing from inside Windows first became possible. Enthusiasts hated it because it was buggy, error prone and had a higher than normal chance of being a bad flash - system becomes instant doorstop. Removable BIOS chips disappeared in the name of security (can't just switch a chip in five seconds if it's soldered!) so firmware flashing devices gained popularity. I never do any firmware flash from inside an OS unless I have no other option. But Microsoft and manufacturers kept pushing it, and now some devices do not have any other option! I've been told (by corporate and media propaganda, so take what you want from it) that it is "more secure" to flash from the OS because you can flash the BIOS outside the OS even with a UEFI password applied (CMOS reset). But that requires physical access, while flashing from inside the OS just requires a compromised OS, which is obviously quite easy to do considering how much of an issue viruses still are for Windows, despite all of this extra "security".
That's ignoring the motherboards with the ability to do UEFI updates without any devices connected at all except for a USB key in a specific USB port. For those enthusiast boards, whether SecureBoot is locked down by default or not becomes somewhat academic.
Let's not even start on the unknowns which are the Intel Management Engine and AMD Platform System Processor.
Originally posted by dawidpotocki View Post"99%" of users will only ever run Windows which… supports Secure Boot OOTB… so…Last edited by Paradigm Shifter; 01 April 2023, 09:59 PM.
Comment
-
Originally posted by Paradigm Shifter View Post
Purchasing a bare motherboard indicates there is some degree of technical skill present in the purchaser, to understand how to assemble a system and install an OS. The people who might actually be affected by this will never encounter the issue because they will never build their own PCs. So, it's just one more thing to add to the list of things to check during system assembly.
The only thing i could blame MSI for is lacking proper guidance on setting se secure as possible (but working) secure boot in manual.
- Likes 1
Comment
-
Apologies for the pseudo-necro, but Microsoft's recent patch bonanza has a relevant entry...
Originally posted by piotrj3 View PostThe only thing i could blame MSI for is lacking proper guidance on setting se secure as possible (but working) secure boot in manual.
Seems like even on a tightly locked down, fully Microsoft controlled system... oh, oh dear... it requires manual intervention to actually implement the fix.
Comment
Comment