Rich Freeman via plug on 9 Jan 2024 12:37:00 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux Install & school 

On Tue, Jan 9, 2024 at 3:04 PM Aaron Mulder via plug
<plug@lists.phillylinux.org> wrote:
>
>  (even if we selected Windows from the Grub menu, Windows wanted a BitLocker recovery key because it noticed the changes, and we don’t have that for the school machine).

Well, Windows didn't notice the change so much as the TPM did.  Most
likely it is configured to do a measured boot, so when the firmware
booted grub it hashed the grub EFI program and loaded that into the
write-once-per-reset TPM memory before executing grub.  Then when
Bitlocker went to retrieve the key for the hard drive encryption the
TPM noted that the boot history had changed and refused to provide the
key.  The recovery key would provide an alternate means of access -
without one or the other there is no way to decrypt the hard drive.

> I think the problem there is that the Ubuntu install changed the UEFI setup to put Grub higher in boot priority than Windows.  Though I’m not sure, I don’t think it removed or corrupted the Windows boot loader, I think it just set Grub to be a higher priority.  We couldn’t set it back because the UEFI menu is password-protected.  Why could the Ubuntu installer change the boot priority but we need a password to change it back?

I'm not super-familiar with the EFI APIs/etc, but those might not
require a password.  That suggests that an appropriate tool could edit
your EFI settings.  Note that they need to be completely restored so
that the device firmware runs the same EFI executable that it did
before Ubuntu was installed, and not some kind of shim-loader.  I'm
not familiar enough with these tools but I have a general idea of how
TPMs work.

TPMs are basically designed to keep people from doing this sort of
thing - if anything tries to load itself before your OS (like a
virus/rootkit/etc) it won't yield any stored keys, which are typically
used for disk encryption.  You can do the same sort of thing on Linux,
though I'm not sure if any distros actually support it (the kernel
does, and I believe grub does as well, so I think it would just
require configuration to make it work).  This is a pretty typical
secure configuration on laptops - at least the ones that don't run
Linux other than ChromeOS.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug