[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to boot Windows when Bitlocker enabled with key sealed in TPM

From: Chris Murphy
Subject: How to boot Windows when Bitlocker enabled with key sealed in TPM
Date: Mon, 7 Feb 2022 16:48:43 -0700


It's increasingly common to see Windows 10 systems with full disk
encryption (BitLocker) enabled out of the box, with the encryption key
sealed in the TPM 2.0. [1][2][3]

The system uses Measured Boot to determine if boot related components
have been tampered with, and if not, the BitLocker key is unsealed by
the TPM, and the system boots normally.

The problem is that with dual boot Linux systems, typically this means
shim followed by GRUB are loaded, altering the PCR values used for
sealing the BitLocker key, and the key is not unsealed. That means the
user is left looking at a BitLocker recovery window instead of getting
a successful boot whenever they boot the GRUB menu entry, e.g.:

### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/nvme0n1p1)' --class windows
--class os $menuentry_id_option 'osprober-efi-DA43-2963' {
    insmod part_gpt
    insmod fat
    search --no-floppy --fs-uuid --set=root DA43-2963
    chainloader /EFI/Microsoft/Boot/bootmgfw.efi

One idea I've heard floated is, having GRUB alter efivars such that
BootNext is changed to do a one time boot of Windows, instead of using
chainloader. If BIOS, use chainloader as now. If UEFI, set BootNext
efi variable? This has the benefit of working even on UEFI systems
which aren't BitLocker encrypted.

Can GRUB modify efivars now? If not, what work would be needed to
enable GRUB to modify efivars? Alternatives?

[2] BitLocker Encryption is enabled, by default, on computers that
support Modern Standby.
[3] I have a Lenovo Thinkpad X1 Carbon Gen 7, fairly popular hardware
but also not the newest available, it came with Windows 10
preinstalled. And Bitlocker was enabled out of the box. I wiped the
laptop clean and installed Windows 10 from ISO downloaded from Same thing, following the clean install, full disk
encryption is enabled. I did not opt-in. This likely will expand due
to the Windows 11 requirement that supporting hardware have TPM 2.0.

Chris Murphy

reply via email to

[Prev in Thread] Current Thread [Next in Thread]