TL;DR: bitlocker does not like grub
Full story:
Months ago I installed fedora on my desktop, dual booting Windows 11.
In all this time I never had the need to boot into windows. I remembered that it worked fine after install, good, and then I forgot about that.
Today I needed a specific windows only software, so at grub I chose the microsoft bootloader and… BITLOCKER.
Huh? Bitlocker? Me? What? Searched frantically for that decryption password in my keepass, did not find. What?? How???
After a few minutes staring at that screen I thought, ok let’s just wipe that shit and reclaim the space. I went back to linux, opened the partition manager, then remembered that i had something important in single copy over there. Noooooo
Went back to the boot screen to try again, still failed password.
Then I notice the error:
e_fve_pcr_mismatch
that mismatch lets me think that maybe I had something wrong in my booting.
I try to put windows first in the bios and it works! WHAT THE…???
So, if i put linux first, then launch windows from grub, bitlocker takes the windows partition under ransom, i can only access if windows is first. And of course in windows 11 x64 is no longer possible add linux partitions in their boot manager (previously it was possible)
Incompetence or maliciousness?
I have given up dual-booting and just have a Windows VM for work things that require Windows. Less muss, less fuss and I can move the VM around as needed when moving between primary PCs.
This. And fuck secure boot. Nowadays almost any of can run VMs flawlessly.
You can even use SecureBoot and TPM in a VM ;) OVMF EDK2 fully supports both ;)
SecureBoot is fine, sucks that vendors won’t add distro keys but you can do that yourself, or use the shim.
Or just disable it in UEFI and forget about it.
Security tools are there for a reason. Sure, I can encrypt my Linux rootfs, but that doesn’t stop anyone from tampering with the initramfs. Secure Boot + UKI does.
Cool. I still prefer to disable it.
did you have to buy a windows license to do it?
You may want to Google for a dev called Massgrave.
Is their GitHub account called massgravel (with an L at the end)? Or is that someone typo-squatting?
Just checked, massgravel (with an L) is right.
thanks, now it makes sense and it’s a nice reminder of why i left the windows eco-sphere over a decade ago
You don’t have to
If you only need it for 90 days before it expires, Microsoft will give you the VM for free (and if you’re particularly industrious, you might write a script that then installs a load of your shit for you to run after you fire up a fresh one)
If you don’t care about potentially breaking the law you can run it forever with a couple of scripts you can find on GitHub
If you don’t want to break the law but also don’t want to pay full price you can get a dubious but working key from sites like G2A and cdkeys
If that’s still too sketchy there’s the OEM licenses (honestly not worth it since they can only activate on a single machine ever)
Or finally you might feel sorry for Microsoft for some strange reason and want to go full retail price.
Basically the same experience with all options for a lot of cases, they’re just happy to have users it seems
Don’t pay the guys on G2A for keys - they’re just reselling stolen corporate MAK keys. They’re also not legal to the terms of the EULA, so it’s not a ‘genuine copy’ for the buyer either - you may as well just use Massgrave instead of funding crooks.
To add to your list of options: you can also just leave it unactivated forever.
It’ll whine about requiring activation with a ''Activate Windows. Go to Settings to activate Windows" message overlaying the bottom right corner of the screen - but that’s it, functionality is otherwise 99% unaffected (you can’t change wallpaper… Oh no). For Windows 10 it will now stop offering updates though - same as any standard Win10 copy, so I’d again recommend the Massgrave Dev route to keep the updates coming a few more years.
No why pay money for this to assholes,more over I use windows server edition which not possible to get if u are not business client and it cost 800$
windows server edition which not possible to get if u are not business client and it cost 800$
It probably depends on your uni, but students can get Windows Server licenses for free on Azure Education.
i don’t want to and that’s why i asked.
i stepped back into the windows eco sphere recently after leaving it 12 years ago and was wondering how people were getting around the activation now-a-days
My work has licenses I can apply for VMs when I’m keeping them for longer client work, so yes they are licensed in my case.
I wouldn’t do that for my own personal use though.
i left the windows eco-sphere around 12ish years ago and coming back has shown me that nothing has changed.
?? Can’t you just use Massgravel?
if massgravel wasn’t doing their thing circa 2012, then i don’t know about it because that’s when i stopped used windows.
I would like to go this route, but I’m really confused about how to do it legally, or even in a gray area sense. I once purchased a Windows 10 Pro license. I’m not sure if that entitles me to being able to install Windows in a VM, but I would really like to do this to run some Windows-only applications that don’t seem to work in WINE
Yeah, that’s basically it. Buy a license and apply it when you install windows from the windows ISO installer on the VM.
If you’ve already used the license on a PC, you may need a new one or you might be able to transfer it if it’s a retail version, not an OEM version.
Microsoft secure boot is 100% made to be a pain in the ass for Linux users. It doesn’t add any security, but is instead a huge added unnecessary risk factor for data loss for users.
It technically does add security in that it prevents a load of attack vectors that would dodge most anti malware tools (i.e. the ones before the anti malware tool can start)
But you’re right in that the execution of the idea is unnecessarily painful for Linux
OK so when did you hear of an actual successful attack that could have been avoided if the user had used secure boot?
Well boot sector viruses used to be all the rage in the 90s, they’re entirely impossible under secure boot
Malware rootkits were a pretty big problem about a decade ago, I understand the techniques those mostly used are more or less impossible under secure boot now too
Then we could go into all the government and adjacent industry use cases where state-sponsored targeted attacks are a real concern. Measures like filling USB ports with super glue and desoldering microphones on company laptops is not unusual in those circles, so blocking unknown bootloaders from executing is an absolute no brainer.
Saying it provides no security is just not true. Your front door isn’t only secure if someone has failed to break in
Secure Boot keys are considered compromised.
If you are recommending secure boot as a security measure, you should stop doing so.
I’m not recommending it, I’m describing why saying it adds no security is silly.
The keys being compromised on some motherboards doesn’t mean the whole concept is suddenly inert for every single user
If everyone has a copy of my passwords and authenticator keys, that wouldn’t suddenly make 2 factor auth a compromised idea.
Hell, even if you are one of those people running a machine with the compromised keys, it’s still going to block malware that was written before the keys were leaked unless malware authors have also figured out time travel.
If everyone has a copy of my passwords and authenticator keys, that wouldn’t suddenly make 2 factor auth a compromised idea.
Not sure how this relates. If you’re saying it was a good idea at the outset, then sure… If the keys hadn’t almost all been leaked by AMI and Phoenix. MS was supposed to have created a Microsoft Certified hardware vendor program for this, which fell apart pretty quickly.
Secure Boot is a joke, both practically (there are many, many tools in use to bypass it) and in my professional circles, it is considered obsolete like WEP. My audit controls for Secure Boot demand that an endpoint management solution like InTune is deployed.
You don’t have to take my word for it, obviously. I’m not trying to tell you how to live your life.
That’s just FUD. “Secure Boot keys are considered compromised.”…
some are… some
Doesn’t mean it’s better to turn off all security measures and live without them.
That’s like saying a lightbulb stopped working, so now you live without electricity. :)
The idea itself is fine (not getting into how not cool it is that a vendor holds the key to your bitlocker-encrypted disk once secure boot is turned on).
But so is WEP for WiFi, but no one uses that anymore because it’s considered compromised.
some are
65% of all TPM keys is “some”, I suppose. But that’s not the issue. Keys leak, it happens. The more troubling part is that Microsoft will cheerfully use the leaked key on your affected TPM and you’ll get the “safe” check mark in your next audit.
And this was warned about in 2011 when it started rolling out.
As for FUD, I don’t have a “fear” angle here. I can’t tell you how to live your life, use secure boot if you feel safe doing so.
WEP is insecure - that’s why it’s not used anymore.
Quite different to a secure protocol that has had some manufacturers leak keys due to poor security practices.
I don’t know which distro you’re using, but in Fedora and Debian it’s pretty easy to install the signed version of grub and the signed shime and get full secure boot in Linux. No setup needed.
Only as long as Microsoft allow it, and only because a lot of work was put into that shit. The first couple of years it was very flaky.
It’s easy enough to add your own secure boot keys, you can even remove the Microsoft keys so that only your OS will boot.
OK that’s new to me, I have to admit I haven’t been looking at it for years, I do not feel comfortable following Microsoft specifications, as Microsoft has a long h9istory of fucking things up for others on purpose, and their safety record is probably among the worst in the industry.
A few years ago I booted up Windows after months of exclusively using Linux. When I ran Windows Update it deleted and overwrote my Linux partition! This wasn’t a grub issue, my files were gone and even file recovery utilities couldn’t find much. Plenty of others have experienced the same thing.
This is still happening and is unquestionably pure maliciousness on Microsoft part.
Why not both?
Yeah you gotta disable bitlocker.
PCR is the name of a registered value in your TPM module.
Did you disable or otherwise changed your Secure Settings in your BIOS? That would do it.
Any changes in the boot process should change various PCR registers. https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
Nah. Specific field registers for specific things, and something like Bitlocker doesn’t watch ALL of them.
From the few docs I can find, it looks like 0,2,4, and 11. Pretty common.
I suppose I could have phrased that better. The registers themselves correspond to particular applications/stages, but the values store in those registers should change based on how the application/stage was loaded. Switch the order or inject a new binary and the hash from that stage on should change.
I think the first time I installed linux/grub on a repartionned windows drive, my first boot in windows it asked for the bitlocker key, I have it on a USB drive, it’s like 30 chars/number. Since then dual booting has always worked. Laptop is win10/linux and desktop is win11/linux.
EDIT: have not booted windows in monts, it asks for bitlocker key everytime booting with grub wtf!!!
distro?
MX Linux. Prior to install I disabled bitlocker in windows to be able to resize the part with gparted. Once in windows again I re-enabled it.
The MX installer is very complete, I was able to directly use LUKS to encrypt my linux partition, and I chose btrfs with multiple volumes. Once grub was installed I needed to change my BIOS to boot from linux partition, this is when my first boot in windows asked for the key.
thanks! You’ve satisfied my curiosity, and piqued my interest in MX Linux.
While there is a strong argument for incompetence, generally:
“Windows isn’t done until lotus doesn’t run”
Have you found a fix?
