[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to boot Windows when Bitlocker enabled with key sealed in TPM
From: |
Lennart Sorensen |
Subject: |
Re: How to boot Windows when Bitlocker enabled with key sealed in TPM |
Date: |
Sat, 12 Feb 2022 18:32:55 -0500 |
On Thu, Feb 10, 2022 at 02:13:43PM -0700, Chris Murphy wrote:
> If you boot windows once a day, it's changing what, 1-4 bytes, per
> day? The entry for Windows is already in NVRAM, it doesn't need to be
> written each time. You're only changing the BootNext value that points
> to the Windows entry (and then the firmware removes it).
Well the fact you are only rewriting nextboot with a few bytes is probably
still a potential problem since from what I have seen, these simple SPI
flash chips that seem to often be used tend not to have wear leveling.
They don't expect a lot of writes.
Ideally the UEFI NVRAM should be battery back ram, but that doesn't seem
to be how a lot of systems actually implement it. If they expect you
to install windows and run it, they don't need to support rewriting a lot.
> This is not Secure Boot. It's measured boot. They're using the TPM to
> measure the bootchain and make sure it hasn't been tampered with
> before revealing the encryption key. If the user has written down the
> recovery key, they can still boot from the BitLocker recovery window,
> but that's an untenable default user experience following the
> installation of a Linux distro. It's a 48 digit key.
Oh right for bitlocker. Even more picky than secureboot.
--
Len Sorensen