Rich Freeman via plug on 9 Jan 2024 12:37:00 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Linux Install & school |
On Tue, Jan 9, 2024 at 3:04 PM Aaron Mulder via plug <plug@lists.phillylinux.org> wrote: > > (even if we selected Windows from the Grub menu, Windows wanted a BitLocker recovery key because it noticed the changes, and we don’t have that for the school machine). Well, Windows didn't notice the change so much as the TPM did. Most likely it is configured to do a measured boot, so when the firmware booted grub it hashed the grub EFI program and loaded that into the write-once-per-reset TPM memory before executing grub. Then when Bitlocker went to retrieve the key for the hard drive encryption the TPM noted that the boot history had changed and refused to provide the key. The recovery key would provide an alternate means of access - without one or the other there is no way to decrypt the hard drive. > I think the problem there is that the Ubuntu install changed the UEFI setup to put Grub higher in boot priority than Windows. Though I’m not sure, I don’t think it removed or corrupted the Windows boot loader, I think it just set Grub to be a higher priority. We couldn’t set it back because the UEFI menu is password-protected. Why could the Ubuntu installer change the boot priority but we need a password to change it back? I'm not super-familiar with the EFI APIs/etc, but those might not require a password. That suggests that an appropriate tool could edit your EFI settings. Note that they need to be completely restored so that the device firmware runs the same EFI executable that it did before Ubuntu was installed, and not some kind of shim-loader. I'm not familiar enough with these tools but I have a general idea of how TPMs work. TPMs are basically designed to keep people from doing this sort of thing - if anything tries to load itself before your OS (like a virus/rootkit/etc) it won't yield any stored keys, which are typically used for disk encryption. You can do the same sort of thing on Linux, though I'm not sure if any distros actually support it (the kernel does, and I believe grub does as well, so I think it would just require configuration to make it work). This is a pretty typical secure configuration on laptops - at least the ones that don't run Linux other than ChromeOS. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug