rpms/grub2
8
0
Fork 0
mirror of https://src.fedoraproject.org/rpms/grub2.git synced 2024-11-24 06:22:43 +00:00
Code Issues 24 Projects 4 Releases Packages Wiki Activity Actions

Windows with bitlocker enabled can't be booted, needs to use bootnext instead of chainloader #13

New issue
Open
opened 2024-09-30 17:46:07 +00:00 by humaton · 0 comments
humaton commented 2024-09-30 17:46:07 +00:00
Member
Copy link

Description of problem: Currently grub.cfg contains: chainloader /EFI/Microsoft/Boot/bootmgfw.efi This won't work with recent Windows 10 systems with TPM 2.0, which now default to Bitlocker being enabled out of the box with the disk encryption key sealed in the TPM. As a result of shim->grub->chainloader, the TPM measurements have changed and therefore the bitlocker key won't be unsealed by the TPM, resulting in a Windows recovery boot asking for the bitlocker encryption passcode. Version-Release number of selected component (if applicable): grub2-2.06-14.fc36 How reproducible: Always Steps to Reproduce: 1. Computer with TPM 2.0 and a default clean installation of Windows 10 or 11 (I did this on a Lenovo ThinkPad X1 Carbon Gen 7 laptop; blkdiscard the entire NVMe drive; clean installed Windows from an ISO downloaded from microsoft.com about 9 months ago, and it enabled bitlocker encryption by default) 2. Do a default Fedora installation (resize Windows partition to create enough free space for Fedora) 3. In the GRUB menu, select Windows Boot Manager Actual results: I see a Bitlocker Recovery screen requesting entry of a recovery key. Boot will not proceed without it. Expected results: Instead of chainloading the Windows bootloader from GRUB, GRUB needs to set BootNext in NVRAM followed by system reset. That way the firmware does a one time boot of the Windows bootloader directly (without shim or grub), resulting in valid TPM measurements unsealing the bitlocker key, and a seamless boot of Windows. Additional info: See also bug 1700397 and bug 1426328.

Description of problem: Currently grub.cfg contains: chainloader /EFI/Microsoft/Boot/bootmgfw.efi This won't work with recent Windows 10 systems with TPM 2.0, which now default to Bitlocker being enabled out of the box with the disk encryption key sealed in the TPM. As a result of shim->grub->chainloader, the TPM measurements have changed and therefore the bitlocker key won't be unsealed by the TPM, resulting in a Windows recovery boot asking for the bitlocker encryption passcode. Version-Release number of selected component (if applicable): grub2-2.06-14.fc36 How reproducible: Always Steps to Reproduce: 1. Computer with TPM 2.0 and a default clean installation of Windows 10 or 11 (I did this on a Lenovo ThinkPad X1 Carbon Gen 7 laptop; blkdiscard the entire NVMe drive; clean installed Windows from an ISO downloaded from microsoft.com about 9 months ago, and it enabled bitlocker encryption by default) 2. Do a default Fedora installation (resize Windows partition to create enough free space for Fedora) 3. In the GRUB menu, select Windows Boot Manager Actual results: I see a Bitlocker Recovery screen requesting entry of a recovery key. Boot will not proceed without it. Expected results: Instead of chainloading the Windows bootloader from GRUB, GRUB needs to set BootNext in NVRAM followed by system reset. That way the firmware does a one time boot of the Windows bootloader directly (without shim or grub), resulting in valid TPM measurements unsealing the bitlocker key, and a seamless boot of Windows. Additional info: See also bug 1700397 and bug 1426328.
Sign in to join this conversation.
frawhide
Branches Tags
Clear current reference
rawhide
f40
f41
main
f39
f38
uefi-vlan
f37
f36
f35
put-font-back
f34
f33
f32
f31
f30
f29
f28
f27
f26
f25
f25-bls3
f24
f25-bls
splitarch4
f23
f22
f19
f20
f21
f17
f18
f16
f15
f11
el6
f14
f9
el5
f10
f12
f13
Clear current reference
grub2-1_98-3_el6
grub2-1_98-3_fc14
grub2-1_98-2_fc12
grub2-1_98-2_fc13
grub2-1_98-2_fc14
grub2-1_97_1-3_el6
grub2-1_97_2-1_fc13
F-13-start
F-13-split
grub2-1_97_1-5_fc13
grub2-1_97_1-4_fc13
EL-6-start
EL-6-split
grub2-1_97_1-3_fc13
grub2-1_97_1-3_fc12
grub2-1_97_1-2_fc12
grub2-1_97_1-2_fc13
grub2-1_97_1-1_fc13
grub2-1_98-0_6_20090911svn_fc13
grub2-1_98-0_6_20090911svn_fc12
F-12-start
F-12-split
grub2-1_98-0_6_20080827svn_fc12
grub2-1_98-0_5_20080827svn_fc11
F-11-start
F-11-split
grub2-1_98-0_4_20080827svn_fc11
grub2-1_98-0_3_20080827svn_fc10
F-10-start
F-10-split
grub2-1_98-0_2_20080807svn_fc10
F-9-start
F-9-split
EL-5-start
EL-5-split
Labels
Clear labels   
exclusivescoped
label

  
exclusivescoped
label2

  
scoped/label

   
testlabel
  
Qality
Blocker

  
Quality
FE

  
release
39

  
release
40

  
release
41

  
release
42

  
release
rawhide

No labels
exclusivescoped
label
exclusivescoped
label2
scoped/label
testlabel
Qality
Blocker
Quality
FE
release
39
release
40
release
41
release
42
release
rawhide
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: rpms/grub2#13
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?