TL;DR: bitlocker does not like grub

Full story:

Months ago I installed fedora on my desktop, dual booting Windows 11.

In all this time I never had the need to boot into windows. I remembered that it worked fine after install, good, and then I forgot about that.

Today I needed a specific windows only software, so at grub I chose the microsoft bootloader and… BITLOCKER.

Huh? Bitlocker? Me? What? Searched frantically for that decryption password in my keepass, did not find. What?? How???

After a few minutes staring at that screen I thought, ok let’s just wipe that shit and reclaim the space. I went back to linux, opened the partition manager, then remembered that i had something important in single copy over there. Noooooo

Went back to the boot screen to try again, still failed password.

Then I notice the error:

e_fve_pcr_mismatch

that mismatch lets me think that maybe I had something wrong in my booting.

I try to put windows first in the bios and it works! WHAT THE…???

So, if i put linux first, then launch windows from grub, bitlocker takes the windows partition under ransom, i can only access if windows is first. And of course in windows 11 x64 is no longer possible add linux partitions in their boot manager (previously it was possible)

Incompetence or maliciousness?

  • 9point6@lemmy.world
    4·
    6 hours ago

    I’m not recommending it, I’m describing why saying it adds no security is silly.

    The keys being compromised on some motherboards doesn’t mean the whole concept is suddenly inert for every single user

    If everyone has a copy of my passwords and authenticator keys, that wouldn’t suddenly make 2 factor auth a compromised idea.

    Hell, even if you are one of those people running a machine with the compromised keys, it’s still going to block malware that was written before the keys were leaked unless malware authors have also figured out time travel.

    • non_burglar@lemmy.world
      1·
      4 hours ago

      If everyone has a copy of my passwords and authenticator keys, that wouldn’t suddenly make 2 factor auth a compromised idea.

      Not sure how this relates. If you’re saying it was a good idea at the outset, then sure… If the keys hadn’t almost all been leaked by AMI and Phoenix. MS was supposed to have created a Microsoft Certified hardware vendor program for this, which fell apart pretty quickly.

      Secure Boot is a joke, both practically (there are many, many tools in use to bypass it) and in my professional circles, it is considered obsolete like WEP. My audit controls for Secure Boot demand that an endpoint management solution like InTune is deployed.

      You don’t have to take my word for it, obviously. I’m not trying to tell you how to live your life.