Announcement

Collapse
No announcement yet.

MSI Laptops To Enjoy Better Linux Support Beginning With The 6.4 Kernel

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Paradigm Shifter
    replied
    Apologies for the pseudo-necro, but Microsoft's recent patch bonanza has a relevant entry...



    Originally posted by piotrj3 View Post
    The only thing i could blame MSI for is lacking proper guidance on setting se secure as possible (but working) secure boot in manual.


    Seems like even on a tightly locked down, fully Microsoft controlled system... oh, oh dear... it requires manual intervention to actually implement the fix.

    Leave a comment:


  • piotrj3
    replied
    Originally posted by Paradigm Shifter View Post

    Purchasing a bare motherboard indicates there is some degree of technical skill present in the purchaser, to understand how to assemble a system and install an OS. The people who might actually be affected by this will never encounter the issue because they will never build their own PCs. So, it's just one more thing to add to the list of things to check during system assembly.
    This is exactly part that buggles me the most. I saw a ton of cases when own computer didn't have secure boot properly working because 1 component doesnt' work with it, and suddenly if every single person like that wanted to call MSI on phone for help or make a warranty replacement (because huh it doesn't work), that would seriously hit their profit margins.

    The only thing i could blame MSI for is lacking proper guidance on setting se secure as possible (but working) secure boot in manual.

    Leave a comment:


  • Paradigm Shifter
    replied
    Originally posted by dawidpotocki View Post
    No, you can't make it "safe". MSI motherboards lack basic protections (like every other motherboard maker, because they do not care and Intel and AMD don't have the balls to force them), which means that you are able to flash the firmware from the OS. Flashing the firmware will reset firmware settings, including Secure Boot settings. So all you have to do as an attacker is update user's firmware from the OS and you just bypassed Secure Boot without even having to mod the firmware.
    So every other motherboard manufacturer has the same issue, but you're explicitly targeting MSI?

    I remember when BIOS flashing from inside Windows first became possible. Enthusiasts hated it because it was buggy, error prone and had a higher than normal chance of being a bad flash - system becomes instant doorstop. Removable BIOS chips disappeared in the name of security (can't just switch a chip in five seconds if it's soldered!) so firmware flashing devices gained popularity. I never do any firmware flash from inside an OS unless I have no other option. But Microsoft and manufacturers kept pushing it, and now some devices do not have any other option! I've been told (by corporate and media propaganda, so take what you want from it) that it is "more secure" to flash from the OS because you can flash the BIOS outside the OS even with a UEFI password applied (CMOS reset). But that requires physical access, while flashing from inside the OS just requires a compromised OS, which is obviously quite easy to do considering how much of an issue viruses still are for Windows, despite all of this extra "security".

    That's ignoring the motherboards with the ability to do UEFI updates without any devices connected at all except for a USB key in a specific USB port. For those enthusiast boards, whether SecureBoot is locked down by default or not becomes somewhat academic.​

    Let's not even start on the unknowns which are the Intel Management Engine and AMD Platform System Processor.​

    Originally posted by dawidpotocki View Post
    "99%" of users will only ever run Windows which… supports Secure Boot OOTB… so…
    Purchasing a bare motherboard indicates there is some degree of technical skill present in the purchaser, to understand how to assemble a system and install an OS. The people who might actually be affected by this will never encounter the issue because they will never build their own PCs. So, it's just one more thing to add to the list of things to check during system assembly.
    Last edited by Paradigm Shifter; 01 April 2023, 09:59 PM.

    Leave a comment:


  • rclark
    replied
    Do you not have any sensitive information on your device?
    In all my years of running Linux (since Slack on stack of floppies), I've never had a malware event -- knock on wood. I do run Pi-Hole, a firewall, and ad-blockers and good passwords ... which is the extent of my security. And no, we don't have any sensitive information on our laptops. Favorites in Firefox? A few applications source code I've written? Media files? Compilers? Financial data (none)? Tax info (none)? Nothing there... Not on the desktops either, other than password database which is encrypted and located on home file server which is only on the 'home' network, not the 'internet' network (two physical networks here). So, in my use case, full disk encryption is an unnecessary complication as is secure boot. Any home automation projects are local on the home net. Never see the internet. I can't understood why some allow their cell phones to do things in the home from outside the home (IOT). That's just an intrusion attack point waiting to happen in my mind -- just for the "it's 'cool", look what I can do factor . Not for me... Now if I was CIA or NSA ... then there might be a good reason to be extra paranoid. Probably even turn on selinux at that point... This is Linux, not Windows.
    Last edited by rclark; 01 April 2023, 07:11 PM.

    Leave a comment:


  • dawidpotocki
    replied
    Originally posted by rclark View Post
    As for security, who cares about secure-boot or encrypted drives etc. If someone takes mine, I am just out the laptop -- I wouldn't like it of course, but can be replaced.
    Secure Boot isn't about "someone steals my device and I never see it again", it's more about preventing unauthorised tampering with stuff like kernels, bootloaders, initramfs and Option ROMs. It prevents malware from messing with this stuff and makes evil maid attacks harder as your motherboard would have to be replaced.

    Your take on encrypted drives doesn't make much sense to me either. Do you not have any sensitive information on your device? Encrypting a root partition is very easy with LUKS.

    Leave a comment:


  • rclark
    replied
    With all the negativity above, we positively like our Modern 15 MSI AMD 5700U powered laptop . KUbuntu 22.04 loaded over the top of Windows and everything i tried worked that we use. And no BIOS changes either to get it to install. Easy peasy as it should be. Stick in the USB stick and install. I also liked the ease of upgrading the hardware also. The laptop back came off easy after removing just a few screws. Added a 1TB SSD (two slots) and upped the memory to 32GB (two slots) and slapped the back back on. I can't complain at all for a home laptop. Priced was right (holiday time frame) too.

    As for security, who cares about secure-boot or encrypted drives etc. If someone takes mine, I am just out the laptop -- I wouldn't like it of course, but can be replaced.

    Leave a comment:


  • dawidpotocki
    replied
    Originally posted by piotrj3 View Post
    In fact Microsoft has interesting quote

    But you know what is funny? It is default. And it is default for a reason.
    It isn't set by default.

    Leave a comment:


  • piotrj3
    replied
    Originally posted by stormcrow View Post

    It's out of spec, disables a layer of security, and MSI doesn't tell you the default is useless for its intended purpose. Seriously, it can't be any more clear this is broken. I can turn your argument right around on you and point out that only a few OSes don't have signed secure boot chains (Pop-OS springs to mind) so there is no real point to having this turned off (especially since, to turn your argument around again, people looking to install such an OS should already know they need to turn off SB)- except if you're intentionally (or extreme incompetence) setting up your customers for root kit compromises because they'll never know that's the case with this setting without extraordinary measures. No one is 'forcing' anyone to do anything although I do wish it were possible to force people to stop being stupid over security features that are safer when active than off and allows people the option to turn them off if necessary. I so cry that a tiny minority of people should have to turn off SB when the vast majority of people do not (99% or more of MSI customers wouldn't have to turn it off) - and would be safer if the default wasn't stupidly insane.

    Should add that the third reason, not informing the customer of a known (to the vendor) very real risk, is nearly always the famous last words just before a jury finds for the customer in a wilful negligence case.
    It is not about that!

    It is about that MSI is not OEM motherboard maker in this case (that makes entire prebuilt) but just a company that makes motherboard! It means after you get one, first thing you do is install OS. And installing OS requires using mostly removable media. And to use it, you have to enable execution on removable media.

    Think about it from this perspective:
    User buys new motherboard -> User uses removable media to install new OS -> User uses.

    From perspective of "secure default" Secure boot it would mean:
    User first goes into bios -> changes settings of secure boot to allow execution from removable media -> changes settings to allow execution of non-signed secure boot (for example for old memtest) but I can tell way more examples -> validates it -> installs new OS -> and finally changes secure boot settings to enable validation and deny execution.

    Problem is, regardless if MSI out of box chooses to allow execution or deny execution, you are forced to visit BIOS and edit those settings. Those settings are responsibility of user.

    In fact Microsoft has interesting quote
    The default value (0x00) is ALWAYS_EXECUTE, which does not properly perform verification of signed drivers in Option ROMs for add-in peripherals. This is not an ideal value for any system implementing UEFI Secure Boot functionality.
    But you know what is funny? It is default. And it is default for a reason.

    And the reason is (From MS site)
    UEFI drivers are necessary for many of the new firmware level security features as well as to enable UEFI boot sequences. For example, installing Windows from an optical disk which is attached to a non-UEFI compatible storage controller is not possible when a system is booting in UEFI mode when Secure Boot is enabled.
    And guess who is affected by that the most? That is right motherboard fresh out of factory that OEM/user installs. And changing secure boot settings to make them work properly is responsibility of user/OEM. My old USB pendrive i use for installing OS is definitly not secure boot compatible. But it is perfectly feasable to... install OS from it!

    If MSI laptop with preinstalled OS has such defaults, I grab pitchfork with you. But in this case MSI provides you default settings for sake of just building/installing PC, not for using it!

    Also on reddit thread i remember that thread being mentioned about secure boot, then people in their custom build use "Deny execute" and... they got black screen with for example AMD RX550 and had to use old nvidia card to boot into system.
    Last edited by piotrj3; 31 March 2023, 08:22 AM.

    Leave a comment:


  • tunnelblick
    replied
    Originally posted by piotrj3 View Post

    None of mentioned linux laptops are even in the same price range. You can get by specs way more impressive MSI laptop then any of those companies. Linux support comes at the cost, + MSI is mostly gaming company, there is less interested in gaming company to professionally support linux. But it is worth noting that nothing MSI does is out of ordinary and some of those features do work (I think by UEFI bits?).

    Eg. integrated webcam example (from github project) :


    Funny thing on my old MSI laptop on linux the function key FN+(I think F5) worked out of box on ubuntu. Sure i couldn't disable the function key behaviour but FN+F5 worked to disable and enable integrated webcam. And If that works, remaining parts i would say is not necessery (and those driver provide). Default fan control on my laptop also was good enough, I wouldn't change it, and all default(generic) tools to turn power safe features from Intel and Nvidia also worked.

    From all what driver provides only 2 things sound interesting:
    msi-ec/battery_mode​ - yup i could benefit from forcing maximum 80-90% charge to prolong longevity, but i doubt most companies allow such thing
    /msi-ec/shift_mode​ - i wonder if it works better then Intel/Nvidia power saving settings, but i hope so! Also again i wonder which of companies above allow laptop to underclock and undervolt and which ones allow overclocking it (LOL).

    Edit: Keep in mind for some reason coreboot chosen ... MSI motherboard as early adopter for some of their stuff. In laptop space I hate the most companies that do something special about their hardware, and after they don't provide drivers/support around them. In MSI so far everything generic just works. MSI bios updates can be done without reliance on windows, and looking in general over internet pretty much everything works out of box, and MSI bios allows you to for example underclock/undervolt etc. People over internet don't complain about battery life and in general reddit etc is full of positive opinions.
    For webcam I have "uvcvideo" blacklisted and enable (insmod) or disable (rmmod) it via key combination so for other vendors this is an option I use (in my case a Lenovo Yoga).

    Leave a comment:


  • dawidpotocki
    replied
    Originally posted by Paradigm Shifter View Post
    To my knowledge they do not prevent you from locking it down and making safe, so while it is definitely something to be aware of, it's just another on a long checklist of items to go through when building or setting up any new system. Although I would have preferred that they make slightly more of the fact that that is the default.
    No, you can't make it "safe". MSI motherboards lack basic protections (like every other motherboard maker, because they do not care and Intel and AMD don't have the balls to force them), which means that you are able to flash the firmware from the OS. Flashing the firmware will reset firmware settings, including Secure Boot settings. So all you have to do as an attacker is update user's firmware from the OS and you just bypassed Secure Boot without even having to mod the firmware.

    MSI told me that they allow flashing from the OS because:

    We need to allow OS BIOS update because it is requested by our customers and system builders. Unfortunately, not all customers can use our M-FLASH feature.
    It's not like you can do it in a safer manner… oh right, you can, but that requires *some* effort.

    Originally posted by stormcrow View Post
    It's out of spec, disables a layer of security, and MSI doesn't tell you the default is useless for its intended purpose. Seriously, it can't be any more clear this is broken.
    I don't think it's out of spec, at least EDK II config file doesn't claim that for the setting MSI chose (which it does for other 2 options).


    This is not to say that this is okay as a default configuration. The only hope of making MSI fix it is by removing these options from EDK II (which isn't that crazy of an idea and might actually work) or Intel/AMD forcing them to.

    Originally posted by piotrj3 View Post
    Do you seriously believe forcing people to deny execute by default on AIB motherboard that in 99% of cases will be used by each user individually or by some smaller system builder that you know should validate if configuration works, othen by tools that do not support secure boot (for obvious reasons). Responsbility of BIOS settings falls onto system builder, It is like saying "Hey you don't have XMP/A-XMP by default enabled". Guess what they cannot enable by default but if I saw this not enabled on someone's custom computer, I would laugh at that person - it is your responsibility.
    "99%" of users will only ever run Windows which… supports Secure Boot OOTB… so…

    Originally posted by piotrj3 View Post
    Like literally look at security researcher recommendation

    Guess who has to use removable media to install new OS, that's right you, what you exactly do when you get motherboard from shop. Changing this setting by default would be stupid as you would have to allow execution and after disable it again. And at that point it is your responsibility.
    Thankfully you know how well this configuration works and you surely know that GRUB will refuse to boot the OS if this configuration is used, because it assumes that shim should be available when Secure Boot is enabled and if a distro doesn't support Secure Boot, it's not using shim.

    Originally posted by piotrj3 View Post
    Also none of laptops are mentioned in that research (I wonder why, that is right because with preinstalled OS diffrent defaults are sane!)
    Microsoft wouldn't even allow it, probably.

    Originally posted by stormcrow View Post
    Should add that the third reason, not informing the customer of a known (to the vendor) very real risk, is nearly always the famous last words just before a jury finds for the customer in a wilful negligence case.
    I have asked them twice why they haven't mentioned it anywhere and they ignored it, twice. What's interesting is that even the store pages of their 2022 Q4 motherboards were talking about Secure Boot and its benefits and didn't mention the defaults.

    I tried hard convincing them to fix this crap, but they won't. They even tried obscuring the settings more. They sent me a test firmware with "Target OS" option which had "Non-UEFI OS" (????? how can you even have Secure Boot without UEFI???) and "Windows OS". It defaulted to "Non-UEFI OS" which actually meant "Allow Execute on security violations" and "Windows OS" was "Deny Execute on security violations".

    For more background visit these 2 posts I wrote:
    - https://dawidpotocki.com/en/2023/01/...insecure-boot/
    - https://dawidpotocki.com/en/2023/02/...e-boot-part-2/ (MSI's responses included)

    Leave a comment:

Working...
X