[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to boot Windows when Bitlocker enabled with key sealed in TPM
|
From: |
Chris Murphy |
|
Subject: |
Re: How to boot Windows when Bitlocker enabled with key sealed in TPM |
|
Date: |
Fri, 25 Mar 2022 17:00:52 -0600 |
On Fri, Mar 25, 2022 at 2:32 PM Vladimir 'phcoder' Serbinenko
<phcoder@gmail.com> wrote:
>
> On Fri, Mar 25, 2022 at 9:14 PM Chris Murphy <lists@colorremedies.com> wrote:
> >
> > For all practical purposes, this is functionally the end to dual boot
> > in GRUB, if there is no work around, e.g. bootnext. Is that the
> > direction GRUB maintainers want to go in?
> Why don't you just update TPM with new values? Then it will get
> unsealed when booted through GRUB
How?
The key is sealed in the TPM so first we need to get the key in order
to (re)seal it with new PCR values. Correct? So we somehow need a way
to boot only the Windows bootloader in order for measured boot to
unseal the key, and then we'd need to somehow measure
shim+grub+windows bootloaders together in order to seal the key with
the new values for those three bootloaders used in that sequence. I
have no idea if that's practical at all.
The recovery key is not the one sealed in the TPM, they are separate
keys in separate "keyslots".
--
Chris Murphy