MSI firmware signing keys leaked

Not at all, in this case.

There is a giant pile of hardware in the world that relies on unsigned hardware. Meanwhile, MSI uses its hardware signing to hurt its customers.

Will some MSI users get tricked into using malicious firmware? Doubtless, eventually. That's sad. But not nearly as sad as the millions of users who can't use their own computers in a manner of their choosing.

Celebrate, without remorse.

It was mine as well.

They artificially limited both discrete and on board GPU being active at the same time in my GT72's BIOS.

It was already possible.

https://docs.dasharo.com/variants/msi_z690/overview/

It's really fucked up that we can't disable secure boot on boards we've bought, and we have to hope their security is compromised instead. What would be the issue with requiring a very manual process to add my own CA to the board so I can load up whatever I want?

Ah, vendor lockin, got it.

I'm interested as well in finding out about being able to flash custom firmware. Is there any other resources to follow?

If I recall correctly, at boot time CPUs retrieve the firmware along with a cryptographic signature that verifies the firmware came from the signer. Some boards choose to burn this signature into the hardware using e-fuses. If the signing key is leaked, that means someone can flash custom firmware into the chip and the CPU would be none the wiser, all while operating at Ring 0.

It's possible they did, in any case keys can be exported from HSMs to ensure availability in the event that your HSM becomes inoperable and needs to be replaced.

For example here are instructions on how to do so with a Thales HSM https://thalesdocs.com/gphsm/ptk/5.4/docs/Content/PTK-C_Admi...