Hi, It's increasingly common to see Windows 10 systems with full disk encryption (BitLocker) enabled out of the box, with the encryption key sealed in the TPM 2.0. [1][2][3]
The system uses Measured Boot to determine if boot related components have been tampered with, and if not, the BitLocker key is unsealed by the TPM, and the system boots normally. The problem is that with dual boot Linux systems, typically this means shim followed by GRUB are loaded, altering the PCR values used for sealing the BitLocker key, and the key is not unsealed. That means the user is left looking at a BitLocker recovery window instead of getting a successful boot whenever they boot the GRUB menu entry, e.g.: ### BEGIN /etc/grub.d/30_os-prober ### menuentry 'Windows Boot Manager (on /dev/nvme0n1p1)' --class windows --class os $menuentry_id_option 'osprober-efi-DA43-2963' { insmod part_gpt insmod fat search --no-floppy --fs-uuid --set=root DA43-2963 chainloader /EFI/Microsoft/Boot/bootmgfw.efi } One idea I've heard floated is, having GRUB alter efivars such that BootNext is changed to do a one time boot of Windows, instead of using chainloader. If BIOS, use chainloader as now. If UEFI, set BootNext efi variable? This has the benefit of working even on UEFI systems which aren't BitLocker encrypted. Can GRUB modify efivars now? If not, what work would be needed to enable GRUB to modify efivars? Alternatives? [1] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures [2] BitLocker Encryption is enabled, by default, on computers that support Modern Standby. https://support.hp.com/us-en/document/c06458046 [3] I have a Lenovo Thinkpad X1 Carbon Gen 7, fairly popular hardware but also not the newest available, it came with Windows 10 preinstalled. And Bitlocker was enabled out of the box. I wiped the laptop clean and installed Windows 10 from ISO downloaded from microsoft.com. Same thing, following the clean install, full disk encryption is enabled. I did not opt-in. This likely will expand due to the Windows 11 requirement that supporting hardware have TPM 2.0. -- Chris Murphy _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel