[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to boot Windows when Bitlocker enabled with key sealed in TPM

From: Lennart Sorensen
Subject: Re: How to boot Windows when Bitlocker enabled with key sealed in TPM
Date: Sat, 12 Feb 2022 18:32:55 -0500

On Thu, Feb 10, 2022 at 02:13:43PM -0700, Chris Murphy wrote:
> If you boot windows once a day, it's changing what, 1-4 bytes, per
> day? The entry for Windows is already in NVRAM, it doesn't need to be
> written each time. You're only changing the BootNext value that points
> to the Windows entry (and then the firmware removes it).

Well the fact you are only rewriting nextboot with a few bytes is probably
still a potential problem since from what I have seen, these simple SPI
flash chips that seem to often be used tend not to have wear leveling.
They don't expect a lot of writes.

Ideally the UEFI NVRAM should be battery back ram, but that doesn't seem
to be how a lot of systems actually implement it.  If they expect you
to install windows and run it, they don't need to support rewriting a lot.

> This is not Secure Boot. It's measured boot. They're using the TPM to
> measure the bootchain and make sure it hasn't been tampered with
> before revealing the encryption key. If the user has written down the
> recovery key, they can still boot from the BitLocker recovery window,
> but that's an untenable default user experience following the
> installation of a Linux distro. It's a 48 digit key.

Oh right for bitlocker.  Even more picky than secureboot.

Len Sorensen

reply via email to

[Prev in Thread] Current Thread [Next in Thread]