For Secure Boot, they now use a Platform Key that AMI itself recommends OEMs replace with their own. Get this: "DO NOT TRUST - AMI Test PK." Private keys for this test PK branch have been leaked before, and any customer of AMI has them. Classic. Just classic. 
 
Apparently the BIOS has a lot of features embedded but disabled that would protect us all from the worst and most undetectable rootkits, as well as allow Device Guard to run effectively; like NX protection and SMM mitigation. Contacted support and they said they do not give out custom BIOS, unlike many of their direct competitors. I am now attempting manipulation of BIOS files on my own. Digressing, there is no TPM on many of their modern boards.
 
Memory training algorithms are less than optimal. I can leave auto timings and fail to boot, even happens with just two set to auto. I apply them manually and its golden. I leave open all 3rd timings, and many of them are higher than they should be, considering the set 2nd timings.
 
It's been months without a BIOS update to resolve any of these issues.
 
In irreparable news, there is Engrish describing M.2 behavior on the motherboard itself. Classic. The memory channels are alternating, too, putting them closer to the hot CPU and preventing my CPU cooler from having it's fan seated correctly, further inhibiting cooling.
 
_
Amazing customer service and generally good manual overclocking seem to be the only things EVGA has going for it, security be damned. I am let down, I don't want to have to buy Asus.
 
Anyone else need facepalm relief? Please share.
 
 
 

Hello Anewbis,
Your concerns have been escalated to our Product Management team for review.
 
_Eddie

@EddieH, thanks much.

@somethingc00l, I would half-agree, but creating your own PK on Windows, then knowing how to apply it by obtaining and signing the KEK, DB, and DBx manually are quite the ordeal. If EVGA had their own PKI that was not released to subcontractors, unlike AMI, we could rest more assuredly that we don't need to spend weeks just to use our systems pretty safely. It could be put off indefinitely for those not overly concerned, or until we have time/done incrementally.

Microsoft's DG/CG readiness tool fails the HSTI blob test, and says NX protector and SMM mitigation is disabled. This might be ok for the average noob, as they prevent booting to anything but the OS drive and outdated or poor drivers may not function, but an option to enable them under Security options should exist. PAE/DEP is on for the OS, but not protected for the subsystem. This opens the door for reboot-to-UEFI-shell vectors (Win10's "reboot to system firmware option" is an example), as well as sleep-vectors, to program the EFI partition or the embedded firmware itself. The former does so on reboot, the latter takes advantage of the wake-up subroutine. http://www.uefi.org/sites...-%20Securing%20SMM.pdf

If I recall correctly, MS enabled DG/CG support for some consumer editions of Creators Update and was already in the IoT Anniversary Edition. Its something to watch, trusted computing is the last major hurdle in ITsec for all OS types and on track to be a part of every-day computing. Making it noob friendly is what is currently in-the-works.

I'd love to see EVGA address all this and market themselves as the leaders in modern security and usability. They could go so far as to describe potential concepts, one being building a home "mainframe" for gaming, IoT services, and media, aka a NAS++, using microATX and miniITX mobos, and even hold contests for people to build and describe them. Could bring with it a more profound sense of company prestige and a wider "tinkering" market (its fun to do more than game or overclock when you get bored and know you can). They don't need to provide direct support if expensive, perhaps just offer a collection of links to MSDN's extensive library and the UEFI organization's PDFs. All ideas to increase market share.