TL;DR: bitlocker does not like grub

Full story:

Months ago I installed fedora on my desktop, dual booting Windows 11.

In all this time I never had the need to boot into windows. I remembered that it worked fine after install, good, and then I forgot about that.

Today I needed a specific windows only software, so at grub I chose the microsoft bootloader and… BITLOCKER.

Huh? Bitlocker? Me? What? Searched frantically for that decryption password in my keepass, did not find. What?? How???

After a few minutes staring at that screen I thought, ok let’s just wipe that shit and reclaim the space. I went back to linux, opened the partition manager, then remembered that i had something important in single copy over there. Noooooo

Went back to the boot screen to try again, still failed password.

Then I notice the error:

e_fve_pcr_mismatch

that mismatch lets me think that maybe I had something wrong in my booting.

I try to put windows first in the bios and it works! WHAT THE…???

So, if i put linux first, then launch windows from grub, bitlocker takes the windows partition under ransom, i can only access if windows is first. And of course in windows 11 x64 is no longer possible add linux partitions in their boot manager (previously it was possible)

Incompetence or maliciousness?

  • erebion@news.erebion.euEnglish
    3·
    1 day ago

    That’s just FUD. “Secure Boot keys are considered compromised.”…

    some are… some

    Doesn’t mean it’s better to turn off all security measures and live without them.

    That’s like saying a lightbulb stopped working, so now you live without electricity. :)

    • non_burglar@lemmy.world
      21·
      23 hours ago

      The idea itself is fine (not getting into how not cool it is that a vendor holds the key to your bitlocker-encrypted disk once secure boot is turned on).

      But so is WEP for WiFi, but no one uses that anymore because it’s considered compromised.

      some are

      65% of all TPM keys is “some”, I suppose. But that’s not the issue. Keys leak, it happens. The more troubling part is that Microsoft will cheerfully use the leaked key on your affected TPM and you’ll get the “safe” check mark in your next audit.

      And this was warned about in 2011 when it started rolling out.

      As for FUD, I don’t have a “fear” angle here. I can’t tell you how to live your life, use secure boot if you feel safe doing so.

      • pulsewidth@lemmy.world
        21·
        21 hours ago

        WEP is insecure - that’s why it’s not used anymore.

        Quite different to a secure protocol that has had some manufacturers leak keys due to poor security practices.