Re: Release criteria proposal: except BitLocker-enabled installs from Windows dual-boot criterion bootloader requirement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2022-09-19 at 16:45 -0400, Robbie Harwood wrote:
> Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> writes:
> 
> > For background here, see:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2049849
> > 
> > right now, when installing Fedora alongside a Windows install with
> > BitLocker enabled, trying to boot Windows from the Fedora boot menu
> > does not work.
> > 
> > We waived the bug as a blocker for Fedora 36 on the basis upstream did
> > not consider it fixable within the F36 timeframe. We agreed that if
> > upstream still couldn't get this fixed for F37, we'd consider revising
> > the criteria.
> > 
> > Well, we're approaching F37 Final and the bug is still open, and
> > there's no appreciable movement upstream, so I'm proposing the criteria
> > change. I propose we change this:
> > 
> > "The installer must be able to install into free space alongside an
> > existing clean Windows installation and install a bootloader which can
> > boot into both Windows and Fedora."
> > 
> > to say:
> > 
> > "The installer must be able to install into free space alongside an
> > existing clean Windows installation. As long as the Windows
> > installation does not have BitLocker enabled, the installer must also
> > install a bootloader which can boot into both Windows and Fedora."
> 
> (Fedora grub2 maintainer hat on)
> 
> I'm fine with the proposed change.  I'm also fine with the original
> text.
> 
> During boot, certain actions are taken that are recorded in the TPM.
> These include, for instance, any loaders that are run - like grub2.  The
> result is that if you load Windows from grub2 rather than the EFI
> firmware, the TPM state will be different.  Bitlocker cares about this
> TPM state.
> 
> So: if you install Windows and set up Bitlocker booting through grub, it
> will continue to work through grub.  If you install Windows outside grub
> (or it's pre-provisioned), it will continue to work outside grub.  If
> you want to move from not using grub to using grub, then Bitlocker needs
> to be reestablished with the new TPM values.
> 
> It is the opinion of the grub2 maintainers that this constitutes being
> able to boot both Windows and Fedora today.  However, we also understand
> that not everyone agrees with this, as evidenced by the existence of the
> bug and this thread about changing RC.

Practically speaking, the way this is "expected" to work is, you get a
system with Windows pre-installed, then you install Fedora, and Fedora
makes it so you can boot both Fedora and Windows. This is the
expectation that's built up around how things ought to work, and it's
what the existing criterion is trying to express.

In general, people do not start out with Linux installed and then
install Windows, this just isn't really a thing that happens a lot.

The word 'you' in your text is kinda doing a lot of heavy lifting. I
would say that what we (we-as-in-Fedora) are concerned with here are
users who do not want to know or care about the details of grub or UEFI
or Windows or BitLocker. The user does not really "want" to "move from
not using grub to using grub". The user wants to move from only having
Windows to having both Windows and Linux. That's the high-level goal
here. grub is an implementation detail (chosen by "us", Fedora, not by
the user).

> The only way to get the TPM state to match not using a particular loader
> is to not use a loader - i.e., have grub2 (or efibootmgr in Fedora
> userspace) set EFI BootNext and reboot the machine.  But generally, if
> users want to be booting Windows through grub, we recommend they
> configure Bitlocker against those PCR values instead.

Is there a good place to point folks who are interested in the
technical details here for documentation?

Thanks!
-- 
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux