For webcam I have "uvcvideo" blacklisted and enable (insmod) or disable (rmmod) it via key combination so for other vendors this is an option I use (in my case a Lenovo Yoga).

It is not about that!

It is about that MSI is not OEM motherboard maker in this case (that makes entire prebuilt) but just a company that makes motherboard! It means after you get one, first thing you do is install OS. And installing OS requires using mostly removable media. And to use it, you have to enable execution on removable media.

Think about it from this perspective:
User buys new motherboard -> User uses removable media to install new OS -> User uses.

From perspective of "secure default" Secure boot it would mean:
User first goes into bios -> changes settings of secure boot to allow execution from removable media -> changes settings to allow execution of non-signed secure boot (for example for old memtest) but I can tell way more examples -> validates it -> installs new OS -> and finally changes secure boot settings to enable validation and deny execution.

Problem is, regardless if MSI out of box chooses to allow execution or deny execution, you are forced to visit BIOS and edit those settings. Those settings are responsibility of user.

In fact Microsoft has interesting quote
But you know what is funny? It is default. And it is default for a reason.

And the reason is (From MS site)
And guess who is affected by that the most? That is right motherboard fresh out of factory that OEM/user installs. And changing secure boot settings to make them work properly is responsibility of user/OEM. My old USB pendrive i use for installing OS is definitly not secure boot compatible. But it is perfectly feasable to... install OS from it!

If MSI laptop with preinstalled OS has such defaults, I grab pitchfork with you. But in this case MSI provides you default settings for sake of just building/installing PC, not for using it!

Also on reddit thread i remember that thread being mentioned about secure boot, then people in their custom build use "Deny execute" and... they got black screen with for example AMD RX550 and had to use old nvidia card to boot into system.

It isn't set by default.

With all the negativity above, we positively like our Modern 15 MSI AMD 5700U powered laptop . KUbuntu 22.04 loaded over the top of Windows and everything i tried worked that we use. And no BIOS changes either to get it to install. Easy peasy as it should be. Stick in the USB stick and install. I also liked the ease of upgrading the hardware also. The laptop back came off easy after removing just a few screws. Added a 1TB SSD (two slots) and upped the memory to 32GB (two slots) and slapped the back back on. I can't complain at all for a home laptop. Priced was right (holiday time frame) too.

As for security, who cares about secure-boot or encrypted drives etc. If someone takes mine, I am just out the laptop -- I wouldn't like it of course, but can be replaced.

Secure Boot isn't about "someone steals my device and I never see it again", it's more about preventing unauthorised tampering with stuff like kernels, bootloaders, initramfs and Option ROMs. It prevents malware from messing with this stuff and makes evil maid attacks harder as your motherboard would have to be replaced.

Your take on encrypted drives doesn't make much sense to me either. Do you not have any sensitive information on your device? Encrypting a root partition is very easy with LUKS.

In all my years of running Linux (since Slack on stack of floppies), I've never had a malware event -- knock on wood. I do run Pi-Hole, a firewall, and ad-blockers and good passwords ... which is the extent of my security. And no, we don't have any sensitive information on our laptops. Favorites in Firefox? A few applications source code I've written? Media files? Compilers? Financial data (none)? Tax info (none)? Nothing there... Not on the desktops either, other than password database which is encrypted and located on home file server which is only on the 'home' network, not the 'internet' network (two physical networks here). So, in my use case, full disk encryption is an unnecessary complication as is secure boot. Any home automation projects are local on the home net. Never see the internet. I can't understood why some allow their cell phones to do things in the home from outside the home (IOT). That's just an intrusion attack point waiting to happen in my mind -- just for the "it's 'cool", look what I can do factor . Not for me... Now if I was CIA or NSA ... then there might be a good reason to be extra paranoid. Probably even turn on selinux at that point... This is Linux, not Windows.

So every other motherboard manufacturer has the same issue, but you're explicitly targeting MSI?

I remember when BIOS flashing from inside Windows first became possible. Enthusiasts hated it because it was buggy, error prone and had a higher than normal chance of being a bad flash - system becomes instant doorstop. Removable BIOS chips disappeared in the name of security (can't just switch a chip in five seconds if it's soldered!) so firmware flashing devices gained popularity. I never do any firmware flash from inside an OS unless I have no other option. But Microsoft and manufacturers kept pushing it, and now some devices do not have any other option! I've been told (by corporate and media propaganda, so take what you want from it) that it is "more secure" to flash from the OS because you can flash the BIOS outside the OS even with a UEFI password applied (CMOS reset). But that requires physical access, while flashing from inside the OS just requires a compromised OS, which is obviously quite easy to do considering how much of an issue viruses still are for Windows, despite all of this extra "security".

That's ignoring the motherboards with the ability to do UEFI updates without any devices connected at all except for a USB key in a specific USB port. For those enthusiast boards, whether SecureBoot is locked down by default or not becomes somewhat academic.​

Let's not even start on the unknowns which are the Intel Management Engine and AMD Platform System Processor.​

Purchasing a bare motherboard indicates there is some degree of technical skill present in the purchaser, to understand how to assemble a system and install an OS. The people who might actually be affected by this will never encounter the issue because they will never build their own PCs. So, it's just one more thing to add to the list of things to check during system assembly.

This is exactly part that buggles me the most. I saw a ton of cases when own computer didn't have secure boot properly working because 1 component doesnt' work with it, and suddenly if every single person like that wanted to call MSI on phone for help or make a warranty replacement (because huh it doesn't work), that would seriously hit their profit margins.

The only thing i could blame MSI for is lacking proper guidance on setting se secure as possible (but working) secure boot in manual.

Apologies for the pseudo-necro, but Microsoft's recent patch bonanza has a relevant entry...





Seems like even on a tightly locked down, fully Microsoft controlled system... oh, oh dear... it requires manual intervention to actually implement the fix.