sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard

Published 20 hours ago verified publisher icon Foxboron

MSI has very insecure Secure Boot defaults

Open dawidpotocki opened this issue 2 years ago • 70 comments

Some MSI motherboards with some firmware versions by default allow booting binaries on policy violations, thereby not providing any additional security compared to having Secure Boot disabled. Scroll down for a list of affected boards and their firmware versions.

To deny booting on policy violation, go to the place where your Secure Boot settings are in your UEFI, change "Secure Boot Mode" to "Custom" and then open "Image Execution Policy".

Some example locations:

  • Settings/Advanced/Windows OS Configuration/Secure Boot
  • Security/Secure Boot

NOTE: MSI released beta firmware for some AMD and Intel boards and the layout looks different. Instead of "Image Execution Policy" there is a "Secure Boot Preset" option with "Hardware/OS Compatibility" and "Maximum Security", pick "Maximum Security".

Then change "Always Execute" to "Deny Execute" on "Removable Media" and "Fixed Media". Optionally you can also change "Option ROM" to "Deny Execute", read more about Option ROMs:

  • https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom
  • https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/uefi-validation-option-rom-validation-guidance

WARNING: DON'T USE "ALWAYS DENY" UNLESS YOU KNOW WHAT YOU ARE DOING. Use "Deny Execute" instead.

Example UEFI firmware screenshots:

Example screenshot 1 Example screenshot 2

My blog post in English: https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/ Mój post na blogu po polsku: https://dawidpotocki.com/pl/2023/01/13/msi-insecure-boot/

MSI's statement: https://www.reddit.com/r/MSI_Gaming/comments/10g9v3m/msi_statement_on_secure_boot/

Format:

  • CPU vendor:
    • Chipset:
      • Board name (release date) [build date]

Some build dates are earlier than release dates, don't ask me why.

MSI firmware shows dates in MM/DD/YYYY, I have provided them in YYYY-MM-DD.

Affected motherboards (all firmware versions):

  • AMD:
    • Every X670(E) motherboard
    • Every B650(E) motherboard
    • X570:
      • MEG X570S ACE MAX
      • MEG X570S UNIFY-X MAX
      • MPG X570S CARBON MAX WIFI / MPG X570S CARBON EK X
    • B550:
      • B550 GAMING GEN3
      • MAG B550 TOMAHAWK MAX WIFI
      • PRO B550M-P GEN3
      • PRO B550-P GEN3
      • PRO B550-VC
  • Intel:
    • Every Z790 motherboard
    • Every B760 motherboard
    • Z590:
      • MEG Z590 UNIFY-X
    • B660:
      • MAG B660M MORTAR MAX WIFI DDR4
      • PRO B660M-A CEC WIFI DDR4 V2
    • H610:
      • PRO H610M 12VO
      • PRO H610M VDHP DDR4
      • PRO H610M-E DDR4
    • H410:
      • PRO H410M-B

Affected motherboards (newer firmware versions):

  • AMD:
    • TRX40:
      • Creator TRX40: 7C59v17 (2022-05-18) [2022-05-17]
      • TRX40 PRO 10G / TRX40-A PRO: 7C60v18 (2022-05-24) [2022-05-17]
      • TRX40 PRO WIFI: 7C60v28 (2022-05-24) [2022-05-17]
    • X399:
      • MEG X399 CREATION: 7B92v146 (2022-08-11) [2022-08-11]
      • X399 GAMING PRO CARBON AC: 7B09v1D9 (2022-08-11) [2022-08-10]
      • X399 SLI PLUS: 7B09vA89 (2022-08-11) [2022-08-11]
    • X570:
      • MAG X570 TOMAHAWK WIFI: 7C84v18 (2022-01-06) [2021-12-29]
      • MAG X570S TOMAHAWK MAX WIFI: 7D54v11 (2021-12-22) [2021-12-17]
      • MAG X570S TORPEDO MAX: 7D54vA1 (2021-12-22) [2021-12-17]
      • MEG X570 ACE: 7C35v1H1 (2022-01-05) [2022-01-14]
      • MEG X570 GODLIKE: 7C34v1F (2022-01-05) [2021-12-27]
      • MEG X570 UNIFY: 7C35vAB (2021-12-23) [2021-12-22]
      • MPG X570 GAMING EDGE WIFI: 7C37v1G (2021-12-22) [2021-12-16]
      • MPG X570 GAMING PLUS: 7C37vAF (2021-12-22) [2021-12-16]
      • MPG X570 GAMING PRO CARBON WIFI: 7B93v1E (2021-12-22) [2021-12-17]
      • MPG X570S EDGE MAX WIFI: 7D53v11 (2021-12-28) [2021-12-27]
      • PRESTIGE X570 CREATION: 7C36v1F (2022-01-05) [2021-12-19]
      • X570-A PRO: 7C37vHF (2021-12-21) [2021-12-16]
    • X470:
      • X470 GAMING M7 AC: 7B77v1I1 (2022-07-15) [2022-07-19]
      • X470 GAMING PLUS: 7B79vAL1 (2022-07-04) [2022-06-24]
      • X470 GAMING PLUS MAX: 7B79vHD2 (2021-09-29) [2021-09-26]
      • X470 GAMING PRO: 7B79v1I (2022-01-28) [2022-01-26]
      • X470 GAMING PRO CARBON / X470 GAMING PRO CARBON AC: 7B78v2I1 (2022-07-15) [2022-07-16]
      • X470 GAMING PRO MAX: 7B79vMB (2021-09-29) [2021-09-28]
    • X370:
      • X370 GAMING M7 ACK: 7A35v1H2 (2022-05-10) [2022-05-12]
      • X370 GAMING PLUS: 7A33v5L2 (2022-05-10) [2022-05-12]
      • X370 GAMING PRO: 7A33v4K1 (2022-05-10) [2022-05-11]
      • X370 GAMING PRO CARBON: 7A32v1P1 (2022-05-10) [2022-05-13]
      • X370 GAMING PRO CARBON AC: 7A32v2K1 (2022-05-10) [2022-05-13]
      • X370 KRAIT GAMING: 7A33v1L2 (2022-05-10) [2022-05-10]
      • X370 SLI PLUS: 7A33v3L2 (2022-05-10) [2022-05-11]
      • X370 XPOWER GAMING TITANIUM: 7A31v1O2 (2022-05-10) [2022-05-10]
    • B550:
      • B550-A PRO: 7C56vA8 (2021-12-20) [2021-12-16]
      • B550M PRO: 7D14v26 (2022-01-05) [2021-12-22]
      • B550M PRO-DASH: 7C95v37 (2021-12-22) [2021-12-21]
      • B550M PRO-VDH / B550M PRO-VDH WIFI: 7C95v29 (2022-01-05) [2021-12-23]
      • B550M PRO-VDH WIFI (CEC): 7C95vH1 (2022-01-05) [2021-12-23]
      • B550M-A PRO: 7C96v26 (2021-12-15) [2021-12-13]
      • MAG B550 TOMAHAWK: 7C91vA8 (2021-12-20) [2021-12-16]
      • MAG B550 TORPEDO: 7C91vH5 (2021-12-20) [2021-12-16]
      • MAG B550M BAZOOKA: 7C95vA8 (2022-01-05) [2021-12-23]
      • MAG B550M MORTAR / MAG B550M MORTAR WIFI / MAG B550M MORTAR MAX WIFI: 7C94v19 (2021-12-20) [2021-12-15]
      • MAG B550M VECTOR WIFI: 7D14vB6 (2022-01-05) [2021-12-19]
      • MEG B550 UNIFY: 7D13v14 (2021-12-22) [2021-12-17]
      • MEG B550 UNIFY-X: 7D13vA4 (2021-12-23) [2021-12-17]
      • MPG B550 GAMING CARBON WIFI: 7C90v18 (2021-12-22) [2021-12-20]
      • MPG B550 GAMING EDGE WIFI: 7C91v18 (2021-12-20) [2021-12-15]
      • MPG B550 GAMING PLUS: 7C56v18 (2022-01-05) [2021-12-30]
      • MPG B550I GAMING EDGE WIFI / MPG B550I GAMING EDGE MAX WIFI: 7C92v18 (2021-12-22) [2021-12-21]
      • PRO B550M-VC WIFI: 7C95vH1 (2022-01-05) [2021-12-23]
    • B450:
      • B450 GAMING PLUS MAX: 7B86vHD3 (2021-09-29) [2021-09-28]
      • B450 GAMING PRO CARBON MAX WIFI: 7B85v283 (2021-09-29) [2021-09-28]
      • B450 MORTAR MAX: 7B89v2E3 (2021-09-29) [2021-09-28]
      • B450 TOMAHAWK: 7C02v1H8 (UNKNOWN) [2022-04-18]
      • B450 TOMAHAWK MAX: 7C02v3C (2021-09-29) [2021-09-27]
      • B450 TOMAHAWK MAX II: 7C02vH63 (2021-09-29) [2021-09-27]
      • B450-A PRO MAX: 7B86vME3 (2021-09-29) [2021-09-28]
      • B450I GAMING PLUS AC: 7A40vAF7 (UNKNOWN) [2022-03-30]
      • B450I GAMING PLUS MAX WIFI: 7A40vB62 (2021-09-29) [2021-09-27]
      • B450M BAZOOKA: 7A38vHH6 (UNKNOWN) [2022-04-13]
      • B450M BAZOOKA MAX WIFI: 7C87v17 (2021-09-29) [2021-09-27]
      • B450M BAZOOKA PLUS: 7B90v1F6 (UNKNOWN) [2022-04-21]
      • B450M BAZOOKA V2: 38vPE6 (UNKNOWN) [2022-04-13]
      • B450M MORTAR: 7B89v1I (2022-08-10) [2022-07-27]
      • B450M MORTAR TITANIUM: 7B89vAG6 (UNKNOWN) [2022-04-21]
      • B450M PRO-M2 MAX: 7B84vAE2 (2021-09-29) [2021-09-27]
      • B450M PRO-M2: 7B84v2H7 (UNKNOWN) [2022-04-11]
      • B450M PRO-M2 V2: 7B84v4E (UNKNOWN) [2022-04-11]
      • B450M PRO-VDH PLUS: 7A38v9C4 (2021-10-12) [2021-10-09]
      • B450M PRO-VDH V2: 7A38v8F6 (UNKNOWN) [2022-04-13]
      • B450M-A PRO MAX: 7C52v3D2 (2021-09-29) [2021-09-28]
    • B350:
      • B350 GAMING PLUS: 7A34vMHS (2021-11-04) [2021-11-04]
      • B350 GAMING PRO CARBON: 7B00v1JS (2021-11-02) [2021-11-01]
      • B350 KRAIT GAMING: 7B08v1IS (2021-11-02) [2021-11-01]
      • B350 PC MATE: 7A34vALS (2021-11-04) [2021-11-04]
      • B350 TOMAHAWK: 7A34v1Q2 (2021-11-04) [2021-11-04]
      • B350 TOMAHAWK ARCTIC: 7A34vHKS (2021-11-04) [2021-11-04]
      • B350 TOMAHAWK PLUS: 7B36v1ER (2021-11-02) [2021-11-01]
      • B350I PRO AC: 7A40v1E2 (2022-05-10) [2021-11-01]
      • B350M BAZOOKA: 7A38v1LR (2021-11-02) [2021-11-01]
      • B350M GAMING PRO: 7A39v2NS (2021-11-02) [2021-11-01]
      • B350M MORTAR: 7A37v1MW (2021-11-04) [2021-11-01]
      • B350M MORTAR ARCTIC: 7A37vAKT (2021-11-04) [2021-11-01]
      • B350M PRO-VD PLUS: 7B38v2GV (2021-11-04) [2021-11-04]
      • B350M PRO-VDH PLUS: 7A38vAJS (2021-11-02) [2021-11-02]
      • B350M PRO-VH PLUS: 7B07v2FV (2021-11-02) [2021-11-01]
    • A520:
      • A520M PRO: 7D14v193 (2021-09-27) [2021-09-26]
      • A520M PRO-C DASH: 7C57v173 (2021-09-27) [2021-09-26]
      • A520M PRO-VDH: 7D49v135 (2021-09-27) [2021-09-26]
      • A520M PRO-VH: 7C96vA81 (2022-08-08) [2022-08-11]
      • A520M-A PRO: 7C96v183 (2021-09-27) [2021-09-28]
      • MAG A520M BAZOOKA WIFI: 7D49vA35 (2021-09-27) [2021-09-26]
      • MAG A520M VECTOR WIFI: 7D14vA93 (2021-09-27) [2021-09-26]
    • A320:
      • A320M GRENADE: 7A39vAK2 (2022-05-10) [2022-05-11]
      • A320M PRO-VH / A320M-A PRO M2: 7C52v192 (2022-01-05) [2022-01-04]
      • A320M PRO-C: 7C58v242 (2022-05-10) [2022-05-13]
      • A320M-A PRO MAX: 7C52v411 (2022-05-10) [2022-05-10]
      • A320M-A PRO: 7C51v162 (2021-12-28) [2021-12-22]
      • A320M PRO-M2 V2: 7B84v34Z (2021-11-04) [2021-11-04]
      • A320M PRO-E: 7A36vH51 (2021-11-02) [2021-11-02]
      • A320M PRO-VD/S V2: 7A36vA63 (2022-05-10) [2022-05-14]
      • A320M PRO-M2: 7B84v191 (2022-07-19) [2022-07-19]
      • A320M PRO-VHL: 7B07v1I2 (2022-05-10) [2022-05-10]
      • A320M PRO-VD PLUS: 7B38v1I2 (2022-05-10) [2022-05-13]
      • A320M PRO-VH PLUS: 7B07v3I2A (2022-05-10) [2022-05-10]
      • A320M BAZOOKA: 7A38v2K2 (2022-05-10) [2022-05-11]
      • A320M GAMING PRO: 7A39v1M2 (2022-05-10) [2022-05-10]
      • A320M PRO-VD/S: 7A36v2L3 (2022-05-10) [2022-05-14]
  • Intel:
    • X299:
      • Creator X299: 7B96v151 (2022-03-10) [2022-09-07]
      • MEG X299 CREATION: 7C06v183 (UNKNOWN) [2022-09-07]
      • X299 GAMING M7 ACK: 7A90v1G (UNKNOWN) [2022-09-07]
      • X299 GAMING PRO CARBON / X299 GAMING PRO CARBON AC: 7A95v1H2 (UNKNOWN) [2022-09-07]
      • X299 PRO / X299 PRO 10G: 7B94v142 (UNKNOWN) [2022-09-07]
      • X299 RAIDER: 7A94v1H4 (UNKNOWN) [2022-09-07]
      • X299 SLI PLUS: 7A93v1I6 (UNKNOWN) [2022-09-08]
      • X299 TOMAHAWK / X299 TOMAHAWK AC: 7B05v1G2 (UNKNOWN) [2022-09-07]
      • X299 TOMAHAWK ARCTIC: 7B05v2G (UNKNOWN) [2022-09-07]
      • X299 XPOWER GAMING AC: 7A91v1F2 (UNKNOWN) [2022-09-08]
      • X299-A PRO / X299-S01A: 7A94vA24 (2022-03-10) [2022-09-07]
      • X299M GAMING PRO CARBON AC: 7B06v1F2 (2022-03-10) [2022-09-07]
      • X299M-A PRO: 7B40v1D2 (2022-03-10) [2022-09-07]
    • Z690:
      • MAG Z690 TOMAHAWK WIFI: 7D32vH41 (2022-05-18) [2022-05-17]
      • MAG Z690 TOMAHAWK WIFI DDR4: 7D32v142 (2022-05-18) [2022-05-18]
      • MAG Z690 TORPEDO / MAG Z690 TORPEDO EK X: 7D32vA41 (2022-05-18) [2022-05-17]
      • MAG Z690M MORTAR WIFI: 7D42vB31 (2022-05-18) [2022-05-19]
      • MEG Z690 ACE: 7D27v143 (2022-05-18) [2022-05-17]
      • MEG Z690 GODLIKE: 7D26v141 (2022-05-18) [2022-05-18]
      • MEG Z690 UNIFY: 7D28v142 (2022-05-18) [2022-05-18]
      • MEG Z690 UNIFY-X: 7D28vA42 (2022-05-18) [2022-05-18]
      • MEG Z690I UNIFY: 7D29v142 (2022-05-18) [2022-05-18]
      • MPG Z690 CARBON WIFI / MPG Z690 CARBON EK X: 7D30v144 (2022-05-18) [2022-05-17]
      • MPG Z690 EDGE WIFI: 7D31vH42 (2022-05-18) [2022-05-18]
      • MPG Z690 EDGE WIFI DDR4: 7D31v144 (2022-05-18) [2022-05-18]
      • MPG Z690 FORCE WIFI: 7D30vA42 (2022-05-18) [2022-05-17]
      • PRO Z690-A / PRO Z690-A WIFI: 7D25vA42 (2022-05-23) [2022-05-17]
      • PRO Z690-A DDR4 / PRO Z690-A WIFI DDR4: 7D25v143 (2022-05-23) [2022-05-17]
      • PRO Z690-P DDR4: 7D36vA5 (2022-05-18) [2022-05-18]
      • PRO Z690-P WIFI: 7D33v121 (2022-05-18) [2022-05-18]
    • Z590:
      • MAG Z590 TOMAHAWK WIFI: 7D08v23 (2021-09-15) [2021-09-13]
      • MAG Z590 TORPEDO: 7D08vA3 (2021-09-15) [2021-09-13]
      • MEG Z590 ACE / MEG Z590 ACE GOLD EDITION: 7D04v13 (2021-09-15) [2021-09-22]
      • MEG Z590 GODLIKE: 7D03vA3 (2021-09-15) [2021-09-22]
      • MEG Z590 UNIFY: 7D38v12 (2021-09-15) [2021-09-06]
      • MEG Z590 UNIFY-X: 7D38vA2 (2021-09-15) [2021-09-06]
      • MEG Z590I UNIFY: 7D05v13 (2021-09-13) [2021-09-08]
      • MPG Z590 GAMING CARBON WIFI / MPG Z590 CARBON EK X: 7D06v15 (2021-09-15) [2021-09-13]
      • MPG Z590 GAMING EDGE WIFI: 7D07v13 (2021-09-13) [2021-09-09]
      • MPG Z590 GAMING FORCE: 7D06vA3 (2021-09-15) [2021-09-13]
      • MPG Z590 GAMING PLUS: 7D07vA3 (2021-09-13) [2021-09-09]
      • MPG Z590M GAMING EDGE WIFI: 7D12v12 (2021-09-14) [2021-09-08]
      • Z590 PLUS: 7D11v13 (2021-09-15) [2021-09-09]
      • Z590 PRO / Z590 PRO WIFI / Z590-A PRO: 7D09v13 (2021-09-08) [2021-09-06]
      • Z590 PRO WIFI (CEC): 7D09vA3 (2021-09-09) [2021-09-06]
      • Z590M PRO: 7D18v22 (2021-09-15) [2021-09-09]
    • Z490:
      • MAG Z490 TOMAHAWK: 7C80v1A (2021-10-18) [2021-10-19]
      • MEG Z490 ACE: 7C71v1A (2021-09-13) [2021-09-30]
      • MEG Z490 GODLIKE: 7C70v1A (2021-10-18) [2021-10-21]
      • MEG Z490 UNIFY: 7C71vAA (2021-09-13) [2021-09-30]
      • MEG Z490I UNIFY: 7C77v1A (2021-10-18) [2021-10-20]
      • MPG Z490 GAMING CARBON WIFI / MPG Z490 CARBON EK X: 7C73v1A (2021-10-18) [2021-10-22]
      • MPG Z490 GAMING EDGE WIFI: 7C79v19 (2021-09-13) [2021-09-30]
      • MPG Z490 GAMING PLUS: 7C75vA9 (2021-09-13) [2021-09-30]
      • MPG Z490M GAMING EDGE WIFI: 7C76v2A (2021-09-13) [2021-09-30]
      • Z490 PLUS: 7C98v16 (2021-10-30) [2021-10-22]
      • Z490-A PRO: 7C75v2B (2021-09-13) [2021-09-30]
    • Z390:
      • MAG Z390 TOMAHAWK: 7B18v1C (2022-11-08) [2022-11-02]
      • MAG Z390M MORTAR: 7C00v1B3 (2022-10-14) [2022-10-13]
      • MEG Z390 ACE: 7B12v1B3 (2022-10-14) [2022-10-13]
      • MEG Z390 GODLIKE: 7B10v1D (2022-11-07) [2022-11-01]
      • MPG Z390 GAMING EDGE AC: 7B17vAC3 (2022-10-14) [2022-10-13]
      • MPG Z390 GAMING PLUS: 7B51v1E2 (2022-10-14) [2022-10-12]
      • MPG Z390 GAMING PRO CARBON / MPG Z390 GAMING PRO CARBON AC: 7B17v1C3 (2022-10-14) [2022-10-13]
      • MPG Z390I GAMING EDGE AC: 7C04v1B (2022-11-07) [2022-10-21]
      • MPG Z390M GAMING EDGE AC: 7B50v1C (2022-10-24) [2022-10-20]
      • Z390-A PRO: 7B98v1E (2022-11-08) [2022-10-21]
    • B660:
      • MAG B660 TOMAHAWK EVA e-PROJECT: 7D41vH31 (2022-05-23) [2022-05-23]
      • MAG B660 TOMAHAWK WIFI: 7D41vA31 (2022-05-23) [2022-05-23]
      • MAG B660 TOMAHAWK WIFI DDR4: 7D41v241 (2022-05-23) [2022-05-23]
      • MAG B660M BAZOOKA: 7D43vM21 (2022-05-23) [2022-05-21]
      • MAG B660M MORTAR / MAG B660M MORTAR WIFI: 7D42vA31 (2022-05-18) [2022-05-19]
      • MAG B660M MORTAR DDR4 / MAG B660M MORTAR WIFI DDR4: 7D42v143 (2022-05-18) [2022-05-19]
      • PRO B660-A / PRO B660M-A WIFI: 7D59vA31 (2022-05-23) [2022-05-21]
      • PRO B660-A DDR4 / PRO B660M-A WIFI DDR4: 7D59v131 (2022-05-23) [2022-05-21]
      • PRO B660M-A / PRO B660M-A WIFI: 7D43vA31 (2022-05-23) [2022-05-20]
      • PRO B660M-A CEC WIFI DDR4: 7D37v131 (2022-05-18) [2022-05-18]
      • PRO B660M-A DDR4 / PRO B660M-A WIFI DDR4: 7D43v133 (2022-05-23) [2022-05-19]
      • PRO B660M-B: 7D45vA21 (2022-05-23) [2022-05-20]
      • PRO B660M-B DDR4: 7D45v141 (2022-05-23) [2022-05-20]
      • PRO B660M-E DDR4: 7D46v231 (2022-05-18) [2022-05-18]
      • PRO B660M-G: 7D45vA21 (2022-05-23) [2022-05-20]
      • PRO B660M-G DDR4: 7D45v141 (2022-05-23) [2022-05-23]
      • PRO B660M-P DDR4 / PRO B660M-P WIFI DDR4: 7D24v221 (2022-05-18) [2022-05-18]
      • PRO B660M-VC WIFI DDR4: 7D37v131 (2022-05-18) [2022-05-18]
    • B560:
      • B560-A PRO: 7D15vH1 (2021-09-15) [2021-09-09]
      • B560M PRO: 7D20v13 (2021-09-15) [2021-09-09]
      • B560M PRO WIFI: 7D21v12 (2021-09-15) [2021-09-09]
      • B560M PRO-E: 7D22v23 (2021-09-15) [2021-09-09]
      • B560M PRO-VDH / B560M PRO-VDH WIFI: 7D18v13 (2021-09-15) [2021-09-09]
      • B560M PRO-VDH WIFI (CEC): 7D18vH1 (2021-09-15) [2021-09-09]
      • B560M-A PRO: 7D20v253 (2022-05-23) [2022-05-21]
      • MAG B560 TOMAHAWK WIFI: 7D15v23 (2021-09-15) [2021-09-09]
      • MAG B560 TORPEDO: 7D15vA3 (2021-09-15) [2021-09-09]
      • MAG B560M BAZOOKA: 7D18vA3 (2021-09-15) [2021-09-09]
      • MAG B560M MORTAR / MAG B560M MORTAR WIFI: 7D17v14 (2021-09-09) [2021-09-08]
      • MPG B560I GAMING EDGE WIFI: 7D19v13 (2021-09-10) [2021-09-09]
    • B460:
      • B460M PRO / B460M-A PRO: 7C88v17 (2021-10-18) [2021-10-22]
      • B460M PRO-VDH / B460M PRO-VDH WIFI: 7C83v15 (2021-10-30) [2021-10-26]
      • MAG B460 TOMAHAWK: 7C81v13 (2021-10-30) [2021-10-25]
      • MAG B460 TORPEDO: 7C81vA2 (2021-10-30) [2021-10-25]
      • MAG B460M BAZOOKA: 7C83vA4 (2021-10-30) [2021-10-26]
      • MAG B460M MORTAR / MAG B460M MORTAR WIFI: 7C82v15 (2021-10-18) [2021-10-19]
      • MPG B460I GAMING EDGE WIFI: 7C86v12 (2021-11-12) [2021-11-05]
    • B360:
      • B360M BAZOOKA PLUS: 7B23vHC (2022-10-28) [2022-10-24]
      • B360-A PRO / B360 GAMING ARCTIC / B360 GAMING PLUS: 7B22v2D (2022-10-24) [2022-10-21]
      • B360M PRO-VD / B360M PRO-VH: 7B53v1C (2022-11-07) [2022-10-21]
      • B360M PRO-VDH: 7B24vAC (2022-11-02) [2022-10-26]
      • B360M MORTAR: 7B23v1C (2022-10-27) [2022-10-24]
      • B360M MORTAR TITANIUM: 7B23vAC (2022-10-27) [2022-10-24]
      • B360M BAZOOKA: 7B24v2C (2022-11-02) [2022-10-26]
      • B360 GAMING PRO CARBON: 7B16v2D (2022-11-14) [2022-11-03]
      • B360M GAMING PLUS: 7B19v1B (2022-10-25) [2022-10-20]
      • B360I GAMING PRO AC: 7B31v1B (2022-11-07) [2022-10-28]
      • B360-F PRO: 7B25v1B (2022-10-24) [2022-10-20]
    • H670:
      • MAG H670 TOMAHAWK WIFI DDR4: 7D25vH4 (2022-05-23) [2022-05-23]
    • H610:
      • PRO H610M-B DDR4 / PRO H610M-G DDR4 / PRO H610M-G WIFI DDR4: 7D46v131 (2022-05-18) [2022-05-18]
      • PRO H610M-C EX: 7D56v131 (2022-05-23) [2022-05-20]
      • PRO H610M-C EX DDR4: 7D56vA11 (2022-05-23) [2022-05-23]
    • H510:
      • H510I PRO WIFI: 7D16v13 (2021-09-10) [2021-09-09]
      • H510M PRO: 7D22v16 (2021-09-15) [2021-09-09]
      • H510M PRO-E: 7D23v11 (2021-09-16) [2021-09-14]
      • H510M-A PRO: 7D22v35 (2021-09-15) [2021-09-10]
      • H510TI-S01: 7D35v11 (2022-02-10) [2022-01-20]
    • H410:
      • H410I PRO WIFI: 7C86v22 (2021-11-12) [2021-11-08]
      • H410M PRO / H410M-A PRO / H410M PRO-VH: 7C89v19 (2021-11-01) [2021-11-05]
      • H410M PRO-C: 7D01v14 (2021-10-18) [2021-11-05]
      • H410M PRO-E: 7C85v11 (2021-10-18) [2021-10-22]
    • H370:
      • H370 GAMING PLUS: 7B22v1D (2022-10-25) [2022-10-21]
      • H370 GAMING PRO CARBON: 7B16v1D (2022-11-11) [2022-11-03]
      • H370M BAZOOKA: 7B24v1C (2022-11-02) [2022-10-26]
    • H310:
      • H310-A PRO: 7B83v1B (2022-11-07) [2022-10-26]
      • H310-F PRO: 7B25v2B (2022-10-24) [2022-10-21]
      • H310I PRO: 7B80v1A (2022-11-08) [2022-10-28]
      • H310M GAMING ARCTIC: 7B28vHB (2022-10-25) [2022-10-21]
      • H310M GAMING PLUS: 7B28v1B (2022-10-25) [2022-10-21]
      • H310M PRO-D / H310M PRO-VD / H310M PRO-VH: 7B33v1D (2022-11-08) [2022-10-28]
      • H310M PRO-M2: 7B28vAC (2022-10-24) [2022-10-20]
      • H310M PRO-VDH: 7B29v1D (2022-10-14) [2022-10-12]
      • H310M PRO-VHL: 7B27v1C (2022-10-27) [2022-10-24]
      • H310M PRO-VL: 7B75v1B (2022-10-24) [2022-10-21]

Unaffected motherboards (so far):

  • AMD:
    • A320:
      • A320M PRO-VD
  • Intel:
    • Z590:
      • MPG Z590 GAMING EDGE WIFI SP
    • Every Z370 motherboard
    • H310:
      • H310M PRO-C
      • H310M PRO-D PLUS
      • H310M PRO-M2 PLUS
      • H310M PRO-VD PLUS
      • H310M PRO-VDH PLUS
      • H310M PRO-VH PLUS
      • H310M PRO-VL PLUS
      • H310M PRO-VLH PLUS

No downloadable firmware available, need volunteers

  • Intel:
    • X299:
      • MPG X299M GAMING EDGE AC
    • H610:
      • H610TI-S01
    • H510:
      • H510TI-S03
      • H510TI-S05
      • PRO H510M-E

Original issue

Title: MSI PRO Z790-A has very broken Secure Boot

Submitting as Foxboron asked me to.

Feel free to open an issue on sbctl and we can keep track of it

Chat log: https://view.matrix.org/room/!GtIfdsfQtQIgbQSxwJ:archlinux.org/?anchor=$smbsrKoEbpAzdUlEfGDSA-StHWVsoVbotfH06e3lVXs&offset=120

The board seems to accept unsigned OSes when booting with Secure Boot enabled. Firmware version: E7E07IMS.A22 (7E07vA2).

This is how it went:

I went to firmware to enable Secure Boot and also wiped factory keys to switch into Setup Mode. Then I checked sbctl status and noticed that while Secure Boot was enabled, Setup Mode was disabled and Microsoft was still enrolled.

$ sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     6e2b1be3-6ecf-41e6-a59b-a30efdfa85ba
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft

Well that made no sense. I went back to firmware and toggled "Custom" mode to "Standard" or something like that. Well… still booting.

Here is the output of commands that I was asked to run:

$ efi-readvar -v db
Variable db, length 3961
db: List 0, type X509
    Signature 0, size 790, owner 841d6484-c82e-4135-ac79-0bf5d26284cd
        Subject:
            CN=MSI SHIP DB
        Issuer:
            CN=MSI SHIP KEK
db: List 1, type X509
    Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
db: List 2, type X509
    Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010

$ efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001
Boot0000* Linux Boot Manager    HD(1,GPT,eee220d1-aec3-45fa-adf2-596981dc70e1,0x800,0x100000)/File(\EFI\systemd\systemd-bootx64.efi)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 00 10 00 00 00 00 00 d1 20 e2 ee c3 ae fa 45 ad f2 59 69 81 dc 70 e1 02 02 / 04 04 46 00 5c 00 45 00 46 00 49 00 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 64 00 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 64 00 2d 00 62 00 6f 00 6f 00 74 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
Boot0001* UEFI OS       HD(1,GPT,eee220d1-aec3-45fa-adf2-596981dc70e1,0x800,0x100000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 00 10 00 00 00 00 00 d1 20 e2 ee c3 ae fa 45 ad f2 59 69 81 dc 70 e1 02 02 / 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 5c 00 42 00 4f 00 4f 00 54 00 58 00 36 00 34 00 2e 00 45 00 46 00 49 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f

$ sbverify --list /efi/EFI/systemd/systemd-bootx64.efi
warning: data remaining[110080 vs 121365]: gaps between PE/COFF sections?
warning: data remaining[110080 vs 121368]: gaps between PE/COFF sections?
No signature table present

$ fwupdmgr update
WARNING: UEFI capsule updates not available or enabled in firmware setup
  See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
 • 0000:00:1f.5
 • CT2000P5PSSD8
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures. If the installation fails, you will    ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly. You may have to       ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]:

Later tried to sign all EFI binaries with my unenrolled keys and… it still booted.

dawidpotocki avatar Dec 11 '22 04:12 dawidpotocki

What loader is \EFI\BOOT\BOOTX64.EFI and is it signed? Also, does bootctl agree on secure boot state?

MSI firmware is pretty much identical to ASUS, so these instructions should work for you: https://github.com/Foxboron/sbctl/blob/master/docs/workflow-example.md. You can even make screenshots with F12 (it should ask you for a usb stick to store them onto), which may help us figuring out if everything is set up correctly.

medhefgo avatar Dec 11 '22 11:12 medhefgo

@medhefgo The issue is that BOOTX64.EFI is not being booted, and it apparently boots the unsigned sd-boot binary.

I found all of this too weird to not have an issue about it.

EDIT:

Also, does bootctl agree on secure boot state?

Yes, the chat log included the bootctl output and it said SB is enabled.

Foxboron avatar Dec 11 '22 12:12 Foxboron

Yes, the chat log included the bootctl output and it said SB is enabled.

That chatlog is terrible and I cannot find the bootctl output. I'll take your word for it.

It seems that MSI has other boards with weird secure boot issues: https://github.com/memtest86plus/memtest86plus/issues/201#issuecomment-1328354576 (in that case always being enabled and working).

I went to firmware to enable Secure Boot and also wiped factory keys to switch into Setup Mode. Then I checked sbctl status and noticed that while Secure Boot was enabled, Setup Mode was disabled and Microsoft was still enrolled.

Was this done in one step or with a save and reset in between? Does the secure boot menu explicitly state that secure boot is disabled after clearing the keys (before leaving the firmware setup)? Have you tried only deleting the PK while leaving the others keys as is?

Resetting firmware settings and/or downgrading/reflashing the firmware might be something to try…

medhefgo avatar Dec 11 '22 12:12 medhefgo

Here is a bunch of runs I just did:

Run 0

Secure Boot enabled with factory keys.

Run 0, Firmware 0 Run 0, OS 0

Run 1

Changed Secure Boot Mode to Custom and showing all keys enrolled.

Run 1, Firmware 0 Run 1, Firmware 1 Run 1, Firmware 2 Run 1, Firmware 3 Run 1, Firmware 4 Run 1, OS 0

Run 2

Disabled Secure Boot. This one is kinda interesting, cause I remember disabling SB and still OS behaving as if it still was enabled.

Run 2, Firmware 0 Run 2, Firmware 1 Run 2, OS 0

Run 3

Clearing Secure Boot keys.

Run 3, Firmware 0 Run 3, Firmware 1 Run 3, OS 0

Run 4

When checking enrolled keys, factory keys were back. This time when clearing keys I didn't just press "Yes" when clearing keys. I checked enrolled keys and noticed that there is an option to automatically enroll factory keys… oh well. I didn't notice it earlier as I was focused on keys showing that there is nothing there and popup telling me that it will put me in Setup Mode. Disabled that and it worked. My bad, but MSI should have designed their firmware better.

Run 4, Firmware 0 Run 4, Firmware 1 Run 4, Firmware 2 Run 4, Firmware 3 Run 4, OS 0

Run 5

Trying to remove just PK, it… doesn't do anything. Maybe it would be able to delete non-factory key, but idk.

Run 5, Firmware 0 Run 5, Firmware 1 Run 5, OS 0

Soon™

I will try reflashing firmware and downgrading, but not today. I tried changing some settings that I changed back to defaults to check if they caused this issue, but no. I didn't change much, mostly just memory speed, timings and fan settings.

EDIT:

What loader is \EFI\BOOT\BOOTX64.EFI and is it signed?

It's systemd-boot and it's not signed.

dawid@archlinux in ~
$ sbverify --list /efi/EFI/systemd/systemd-bootx64.efi
warning: data remaining[110592 vs 121739]: gaps between PE/COFF sections?
warning: data remaining[110592 vs 121744]: gaps between PE/COFF sections?
No signature table present
dawid@archlinux in ~
$ sbverify --list /efi/EFI/BOOT/BOOTX64.EFI
warning: data remaining[110592 vs 121739]: gaps between PE/COFF sections?
warning: data remaining[110592 vs 121744]: gaps between PE/COFF sections?
No signature table present

dawidpotocki avatar Dec 12 '22 05:12 dawidpotocki

Well, that is some interesting firmware…

Have you tried enrolling your own keys when in setup mode? And does that properly activate signature checking?

I have two working theories right now:

  1. The firmware might be trusting your efi binaries on a TOFU basis on first boot after clearing the keys. Easily tested by swapping out to a different build/version of sd-boot after booting once.
  2. The firmware might be thinking your boot hd is a trusted firmware volume and therefore does not enforce signatures. If that is the case it might refuse booting unsigned images from a usb stick (ideally different from the ones on the ESP).

If possible, you could also try moving the ESP to a different internal drive. I'm also wondering if it would accept efi binaries coming from a XBOOTLDR partition…

medhefgo avatar Dec 12 '22 11:12 medhefgo

Is there a reliably way to detect motherboard versions from Linux? I'm contemplating if sbctl should have a generic "wonkey warning" if it encounters known bad motherboard+firmware versions.

Foxboron avatar Dec 12 '22 11:12 Foxboron

Is there a reliably way to detect motherboard versions from Linux? I'm contemplating if sbctl should have a generic "wonkey warning" if it encounters known bad motherboard+firmware versions.

DMI/SMBIOS info is the best source you're looking for (demidecode). And even that is full of "to be filled by OEM" crap that has to be filtered out. Best thing is to access it by hostnamectl (or hostnamed dbus API) as it does that for you.

medhefgo avatar Dec 12 '22 12:12 medhefgo

The firmware might be thinking your boot hd is a trusted firmware volume and therefore does not enforce signatures. If that is the case it might refuse booting unsigned images from a usb stick (ideally different from the ones on the ESP).

Unless RebeccaBlackOS has Secure Boot support, I think that's pretty unlikely.

dawidpotocki avatar Dec 12 '22 12:12 dawidpotocki

Unless RebeccaBlackOS has Secure Boot support, I think that's pretty unlikely.

The firmware not checking the signature has nothing to do with your OS. And firmwares are known to do silly things, and confusing the ESP as an internally trusted firmware volume is something I wouldn't put past them.

It would also be interesting to see if it will at least handle the blocklist correctly by trying to boot a signed shim that is on the blocklist. Which version to try is a different question though, but one from like 2 years ago or so along with the dbx update should suffice.

medhefgo avatar Dec 12 '22 12:12 medhefgo

The firmware not checking the signature has nothing to do with your OS.

Well, you told me boot something from a USB and I'm just saying that I did that.

It would also be interesting to see if it will at least handle the blocklist correctly by trying to boot a signed shim that is on the blocklist.

Will try later.

dawidpotocki avatar Dec 12 '22 12:12 dawidpotocki

Well, you told me boot something from a USB and I'm just saying that I did that.

That was a rather roundabout way of saying that.

For shim testing, make sure that the dbx update has been applied again (because it gets cleared when sb vars are reset). Then make an entry that points to the shim binary with a copy of you loader (I recommend an efi shell) named to grubx64.efi next to it. A quick test on my machine says that this one is old enough to get rejected: https://kojipkgs.fedoraproject.org//vol/fedora_koji_archive05/packages/shim/13/2/x86_64/shim-x64-13-2.x86_64.rpm

medhefgo avatar Dec 12 '22 12:12 medhefgo

Well, you told me boot something from a USB and I'm just saying that I did that.

Are you sure that was an UEFI boot and not CSM? Cause the iso does not have a EFI directory.

medhefgo avatar Dec 12 '22 20:12 medhefgo

Shouldn't Secure Boot decline it anyway? But okay, Arch Linux and Void Linux iso will start GRUB, but GRUB will complain that shim lock is not available when picking an entry and will not start the OS.

error: shim_lock protocol not found
error: you need to load kernel first

My understanding is that GRUB shouldn't even boot if Secure Boot was working, so it's just GRUB expecting to be signed or used with a shim and failing.

dawidpotocki avatar Dec 12 '22 23:12 dawidpotocki

I just tried every firmware available from MSI's website. They all have Secure Boot broken.

https://www.msi.com/Motherboard/PRO-Z790-A-WIFI/support

dawidpotocki avatar Dec 15 '22 03:12 dawidpotocki

I found the solution and I hate it.

By default MSI sets "Always execute" on policy violation on everything, essentially making Secure Boot useless with the default settings. This shouldn't be the default. Also "Query user" is useless if user is using some type of a bootloader, as it won't accept input anymore.

image

EDIT: Maybe sbctl should warn people on MSI motherboards about this setting? It makes people have a false sense of security.

To change it you have to:

  1. Set Secure Boot Mode to "Custom"
  2. Open "Image Execution Policy"
  3. Change policies to "Deny Execute".

dawidpotocki avatar Dec 16 '22 05:12 dawidpotocki

EDIT: Maybe sbctl should warn people on MSI motherboards about this setting? It makes people have a false sense of security.

It should. And it's probably prudent to do so for all MSI firmware that claim to be UEFI 2.80 and not just for this board/firmware.

  1. Set Secure Boot Mode to "Custom"

Out of curiosity, what are the options for secure boot mode (I assume standard, custom and disabled)? From what I can tell, keys and execution policy can only be changed when set to custom?

These screenshots should be turned into another guide by someone (I am feeling lazy :D).

Also, I strongly suggest to keep OptionROM at always execute. Removable media should also be deny execute or malware has an easy attack vector as long as a usb drive is plugged in.

medhefgo avatar Dec 16 '22 09:12 medhefgo

I just asked someone with an MSI B450 TOMAHAWK MAX to check their firmware… same options by default. It looks like it isn't exclusive to my board. Though not sure when it was introduced.

MSI B450 TOMAHAWK MAX firmware

dawidpotocki avatar Dec 16 '22 09:12 dawidpotocki

Out of curiosity, what are the options for secure boot mode (I assume standard, custom and disabled)? From what I can tell, keys and execution policy can only be changed when set to custom?

Standard and Custom. Executing Policy can only be changed in Custom.

dawidpotocki avatar Dec 16 '22 09:12 dawidpotocki

What UEFI version is reported by bootctl for them?

medhefgo avatar Dec 16 '22 09:12 medhefgo

This sounds extremely broken.

Foxboron avatar Dec 16 '22 09:12 Foxboron

Their output (very fun, who doesn't love some n/a?):

$ bootctl
System:
     Firmware: n/a (n/a)

$ hostnamectl
   Hardware Vendor: Micro-Star International Co., Ltd
    Hardware Model: MS-7C02
  Firmware Version: 3.F0

Btw, with Option ROM being set to Always Execute, could people then just not bother to enroll Microsoft's key?

dawidpotocki avatar Dec 16 '22 10:12 dawidpotocki

Their output (very fun, who doesn't love some n/a?):

They're not using sd-boot then. Can you ask them to use it just once so we can get to the UEFI version?

Btw, with Option ROM being set to Always Execute, could people then just not bother to enroll Microsoft's key?

That's my expectation, yes.

medhefgo avatar Dec 16 '22 10:12 medhefgo

(There's no need to create a boot entry, btw. The UEFI version is also listed when you press p in the sd-boot menu.)

medhefgo avatar Dec 16 '22 10:12 medhefgo

2. The firmware might be thinking your boot hd is a trusted firmware volume and therefore does not enforce signatures. If that is the case it might refuse booting unsigned images from a usb stick (ideally different from the ones on the ESP).

I just realized that one of my theories was correct. Yay me. :joy_cat:

medhefgo avatar Dec 16 '22 10:12 medhefgo

That sounds like a terrible default though. Glad we got it documented.

Foxboron avatar Dec 16 '22 10:12 Foxboron

They're not using sd-boot then. Can you ask them to use it just once so we can get to the UEFI version?

Firmware: UEFI 2.70 (American Megatrends 5.17)

dawidpotocki avatar Dec 16 '22 11:12 dawidpotocki

So, considering that the UEFI spec version is hard to get by unless sd-boot (or sd-stub) is used, one could probably use the BIOS revision field from dmidecode for that if the board vendor is MSI as those versions seem to get incremented in tandem.

medhefgo avatar Dec 16 '22 12:12 medhefgo

I got more information from another user of a B450 TOMAHAWK MAX. The affected firmware on this board is 7C02v3C from 2022-01-18. 7C02v3B from 2021-05-25 doesn't have the "Image Execution Policy" option and will give an image execution violation message.

The bad news is that the changelog mentions NOTHING about this change. So it might be hard to get the list of all affected boards, but I suspect that every firmware from 2022 onwards is affected. I found some patterns in changelogs and firmware versions, but need confirmation. Would need more volunteres with different boards to pin point the exact date and firmware.

7C02v3C Description:

  • Update to ComboAM4PIV2 1.2.0.5

Now, the output from bootctl and hostnamectl. As we can see, we can't rely on AMI version. This isn't very surprising to me as I was able to find Asus and MSI manuals from 2013 with "Image Execution Policy" mentioned. So this option has been available for a long time, it just was hidden from us.

7C02v3C

Firmware Version: 3.C0
Firmware: UEFI 2.70 (American Megatrends 5.17)

7C02v3B

Firmware Version: 3.B0
Firmware: UEFI 2.70 (American Megatrends 5.17)

I have updated the issue with a list of mobos and firmware that I believe to be affected.

dawidpotocki avatar Dec 25 '22 15:12 dawidpotocki

I have a B550-A-PRO-CEC motherboard, and I can confirm that AMI BIOS version 7C56vH4 has this issue. The default image execution policy is "Always Execute" even when the Secure Boot mode is "Standard".

I would assume the B550-A-PRO BIOS version 7C56vAB also has this issue as they are just different names for the same BIOS.

The BIOS changelog has a suspicious entry:

Change the default setting of Secure Boot.

I'm wondering if that's the change which caused all these problems.

josephlr avatar Jan 04 '23 23:01 josephlr

I did a little more digging into EDK2 to figure out which settings were causing the issue. The invalid settings here seem to be the following PCD values:

As noted in that code, the default value should be 0x04 (Deny execution when there is security violation), but instead MSI sets the default value to 0x00 (Always trust the image).

Microsoft put out UEFI Validation Option ROM Guidance, which talks about security issues around having PcdOptionRomImageVerificationPolicy be 0x00. Firmware vendors also setting 0x00 for external images is significantly worse (than the issue described in that article).

josephlr avatar Jan 04 '23 23:01 josephlr