On Tue, Jul 26, 2022 at 02:05:24PM -0400, Chris Murphy wrote:
> Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption)
> out of the box with the encryption key sealed in the TPM. Two different
> issues result:
>
> 1. Fedora's installer, Anaconda, can't resize Bitlocker volumes. We could use
> better documentation to help the user perform the volume resize in Windows,
> before proceeding to booting our installation media. The documentation
> probably should be explicitly referenced by the Windows version of Fedora
> Media Writer.
>
> 2. The Bitlocker encryption key is unsealed only if the boot chain
> measurement by the TPM matches the expected values in a TPM PCR. When
> shim+GRUB are in the boot chain, as is the case in our default dual boot
> installation, the measurements are wrong, and this means the GRUB menu entry
> to boot Windows won't work. The user is dropped to a Windows Bitlocker
> recovery page. If they have their backup encryption key handy, it will work
> but to say the least this condition is unexpected and not user friendly -
> not least of which is many users won't have this backup key handy since they
> didn't take the action to enable Bitlocker in the first place.
>
> The bug report for this is https://bugzilla.redhat.com/show_bug.cgi?id=2049849
>
> It was a Fedora 36 final release blocking bug, but considered a "difficult to
> fix" exceptional case, moving it to Fedora 37 final. Some of the options for
> consideration:
>
> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, so
> that instead of chainloading the Windows bootloader from GRUB, GRUB will
> modify the system NVRAM such that the next boot (only) will directly boot the
> Windows bootloader. Thus far there's no interest by GRUB upstream. Whereas
> systemd-boot has implemented it.
>
> b. Add a user space utility modifies system NVRAM such that the next boot
> (only) will directly boot the Windows bootloader. And also remove the Windows
> boot entry in GRUB, on UEFI systems. (It would be retained on BIOS systems.)
>
> c. Change the release criterion.
>
> https://fedoraproject.org/wiki/Fedora_36_Final_Release_Criteria#Windows_dual_boot
>
> Current: The installer must be able to install into free space alongside an
> existing clean Windows installation and install a bootloader which can boot
> into both Windows and Fedora.
>
> Replacement: The installer must be able to install into free space alongside
> an existing clean Windows installation, install and configure a bootloader
> that will boot Fedora.
>
> d. Consider the problem sufficiently difficult to fix that we need an
> extension to the exceptional case allowance, and wave the bug for another
> release.
>
> Thoughts?
Since you say systemd-boot can already do what we want in this regard:
e. Replace grub for EFI systems with systemd-boot ?
Or at least make systemd-boot a supported option alongside
grub for those who need dual boot with Windows
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
