文章地址:https://www.bleepingcomputer.com/news/security/msi-breaks-secure-boot-for-hundreds-of-motherboards/
太长不看:
1.微星将安全引导策略错误的设置为“总是执行”,这导致即使UEFI映像/硬件固件/主板固件验证失败,主板也会报告“验证通过”从而继续执行。
2.微星拒绝承认此事,并且微星声称“这是为了用户友好,用户仍然可以自己改掉相关设置”。
3.根据实测:截止到2023年,微星的默认安全引导设置依旧是坏的。
以下为转载,翻译是机翻(由腾讯云提供翻译技术支持)。
MSI breaks Secure Boot for hundreds of motherboards
Update 1/22/23: Title updated as MSI intentionally changed this setting as per statement below.
更新1/22/23:标题更新,因为MSI故意按照下面的声明更改了此设置。
Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting settings that allows any operating system image to run regardless of whether it has a wrong or missing signature.
据报道,超过290个MSI主板受到不安全的默认UEFI安全启动设置的影响,该设置允许任何操作系统映像运行,无论其签名是否错误或缺失。
This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue.
这一发现来自一位名叫Dawid Potocki的波兰安全研究员,他声称尽管他努力联系MSI并告知他们这一问题,但他没有收到回复。
The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.
根据Potocki的说法,这个问题影响到许多使用最新固件版本的基于英特尔和AMD的MSI主板,甚至影响到全新的MSI主板型号。
UEFI Secure Boot UEFI安全引导
Secure Boot is a security feature built into the firmware of UEFI motherboards that ensures only trusted (signed) software can execute during the boot process.
安全引导是内置于UEFI主板固件中的安全功能,可确保在引导过程中只有可信(签名)的软件可以执行。
"When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system," explains Microsoft in an article about Secure Boot.
微软在一篇关于安全引导的文章中解释道:“当PC启动时,固件会检查每个引导软件的签名,包括UEFI固件驱动程序(也称为选项只读存储器)、EFI应用程序和操作系统。”
"If the signatures are valid, the PC boots, and the firmware gives control to the operating system."
如果签名有效,则PC启动,固件将控制权交给操作系统。
To validate the safety of boot loaders, OS kernels, and other essential system components, Secure Boot checks the PKI (public key infrastructure) that authenticates the software and determines its validity on every boot.
为了验证引导加载程序、操作系统内核和其他基本系统组件的安全性,Secure Boot会检查对软件进行身份验证并在每次引导时确定其有效性的PKI(公钥基础设施)。
If the software is unsigned or its signature has changed, possibly because it was modified, the boot process will be stopped by Secure Boot to protect the data stored on the computer.
如果软件未签名或其签名已更改(可能是因为它已被修改),则Secure Boot将停止引导过程以保护存储在计算机上的数据。
This security system is designed to prevent UEFI bootkits/rootkits ( 1, 2, 3) from launching on the computer and to warn users that their operating system has been tampered with after the vendor shipped the system.
此安全系统旨在防止UEFI Bootkit/Rootkit(1、2、3)在计算机上启动,并警告用户其操作系统在供应商发货后已被篡改。
Default MSI settings cause insecure boots
默认MSI设置导致不安全引导
Potocki claims that MSI's firmware updates released between September 2021 and January 2022 changed a default Secure Boot setting on MSI motherboards so that the system will boot even if it detects security violations.
Potocki声称,在2021年9月至2022年1月期间发布的MSI固件更新更改了MSI主板上的默认安全引导设置,以便即使检测到安全违规,系统也会启动。
"I decided to setup Secure Boot on my new desktop with the help of sbctl. Unfortunately, I have found that my firmware was accepting every OS image I gave it, no matter if it was trusted or not," explains the researcher in his writeup.
“我决定在sbctl的帮助下在我的新台式机上设置安全引导。不幸的是,我发现我的固件接受我给它的每一个操作系统镜像,无论它是否可信,”这位研究人员在他的文章中解释道。
"As I have later discovered on 2022-12-16, it wasn't just broken firmware; MSI had changed their Secure Boot defaults to allow booting on security violations(!!)."
正如我后来在2022年12月16日发现的那样,这不仅仅是固件损坏;MSI已经更改了其安全引导默认设置,以允许在违反安全规定的情况下启动(!!)。
This change was to mistakenly set the "Image Execution Policy" setting in the Firmware to "Always Execute" by default, allowing any image to boot the device as normal.
此更改错误地将固件中的“Image Execution Policy”设置为默认的“Always Execute”,允许任何映像正常引导设备。
As you can see from the image above, even though Secure Boot is enabled, it's 'Image Execution Policy' setting is set to 'Always Execute', allowing the system to boot even if there are security violations.
正如您从上面的图像中看到的,即使启用了安全启动,它的“映像执行策略”设置也被设置为“始终执行”,即使存在安全违规也允许系统启动。
This effectively breaks the Secure Boot feature as untrusted images can still be used to boot the device
这有效地破坏了安全引导功能,因为不受信任的映像仍可用于引导设备
Potocki explains that users should set the Execution Policy to "Deny Execute" for "Removable Media" and "Fixed Media," which should only allow signed software to boot.
Potocki解释说,用户应该将“可移动媒体”和“固定媒体”的执行策略设置为“拒绝执行”,这应该只允许签名的软件启动。
The researcher says MSI never documented the change, so he had to trace back the introduction of the insecure default using IFR (UEFI Internal Form Representation) to extract configuration options information.
这位研究人员说,MSI从未记录过更改,因此他必须使用IFR(UEFI内部表单表示法)追溯不安全默认的引入,以提取配置选项信息。
Potocki then used this information to determine which MSI motherboards were impacted by the issue. A complete list of the over 290 motherboards and the firmware versions affected by this insecure setting is available on GitHub.
Potocki随后使用此信息来确定哪些MSI主板受到该问题的影响。受此不安全设置影响的290多个主板和固件版本的完整列表可在GitHub上找到。
If you're using an MSI motherboard in that list, go over to BIOS settings and check that the "Image Execution Policy" is set to a safe option.
如果您使用的是该列表中的MSI主板,请转到BIOS设置并检查“映像执行策略”是否设置为安全选项。
If you haven't upgraded your motherboard firmware since January 2022, the introduction of a bad default shouldn't be a reason to postpone it any further, as software updates contain important security fixes.
如果你自2022年1月以来没有升级过你的主板固件,那么引入一个糟糕的默认设置不应该成为进一步推迟的理由,因为软件更新包含重要的安全修复。
BleepingComputer has contacted MSI to request a comment on the above and whether they plan to change the default setting via a new update, but we are still waiting to receive a response.
BleepingComputer已经联系了MSI,要求对以上内容发表评论,以及他们是否计划通过新的更新来更改默认设置,但我们仍在等待收到回复。
Update 1/18 - BleepingComputer has received clarifications from Dawid Potocki about the vulnerable firmware versions for each MSI motherboard model and performed the required corrections on the article.
更新1/18-BleepingComputer已收到Dawid Potocki关于每个MSI主板型号的易受攻击固件版本的澄清,并对该文章执行了所需的更正。
Update 1/20 - MSI is yet to respond to BleepingComputer's request for a comment, but the company posted the following statement on Reddit:
更新1/20-微星尚未回应BleepingComputer的置评请求,但该公司在Reddit上发布了以下声明:
MSI implemented the Secure Boot mechanism in our motherboard products by following the design guidance defined by Microsoft and AMI before the launch of Windows 11.
在Windows 11发布之前,MSI遵循微软和AMI定义的设计指南,在我们的主板产品中实施了安全引导机制。
We preemptively set Secure Boot as Enabled and "Always Execute" as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations.
我们先发制人地将Secure Boot设置为Enable,并将“Always Execute”设置为默认设置,以提供一个用户友好的环境,允许多个最终用户灵活地使用数千个(或更多)组件构建他们的PC系统,这些组件包括他们的内置选项ROM,包括操作系统映像,从而产生更高的兼容性配置。
For users who are highly concerned about security, they can still set “Image Execution Policy” as "Deny Execute" or other options manually to meet their security needs.
对于高度关注安全的用户,仍然可以手动将“镜像执行策略”设置为“拒绝执行”或其他选项,以满足自己的安全需求。
In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with ”Deny Execute” as the default setting for higher security levels. MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs.
为了回应预设BIOS设置的安全问题,MSI将为我们的主板推出新的BIOS文件,并将“拒绝执行”作为更高安全级别的默认设置。MSI还将在BIOS中为最终用户保留一个功能齐全的安全启动机制,以便他们可以根据需要进行修改。
|