On Mon, 2022-09-19 at 16:45 -0400, Robbie Harwood wrote: > Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> writes: > > > For background here, see: > > https://bugzilla.redhat.com/show_bug.cgi?id=2049849 > > > > right now, when installing Fedora alongside a Windows install with > > BitLocker enabled, trying to boot Windows from the Fedora boot menu > > does not work. > > > > We waived the bug as a blocker for Fedora 36 on the basis upstream did > > not consider it fixable within the F36 timeframe. We agreed that if > > upstream still couldn't get this fixed for F37, we'd consider revising > > the criteria. > > > > Well, we're approaching F37 Final and the bug is still open, and > > there's no appreciable movement upstream, so I'm proposing the criteria > > change. I propose we change this: > > > > "The installer must be able to install into free space alongside an > > existing clean Windows installation and install a bootloader which can > > boot into both Windows and Fedora." > > > > to say: > > > > "The installer must be able to install into free space alongside an > > existing clean Windows installation. As long as the Windows > > installation does not have BitLocker enabled, the installer must also > > install a bootloader which can boot into both Windows and Fedora." > > (Fedora grub2 maintainer hat on) > > I'm fine with the proposed change. I'm also fine with the original > text. > > During boot, certain actions are taken that are recorded in the TPM. > These include, for instance, any loaders that are run - like grub2. The > result is that if you load Windows from grub2 rather than the EFI > firmware, the TPM state will be different. Bitlocker cares about this > TPM state. > > So: if you install Windows and set up Bitlocker booting through grub, it > will continue to work through grub. If you install Windows outside grub > (or it's pre-provisioned), it will continue to work outside grub. If > you want to move from not using grub to using grub, then Bitlocker needs > to be reestablished with the new TPM values. > > It is the opinion of the grub2 maintainers that this constitutes being > able to boot both Windows and Fedora today. However, we also understand > that not everyone agrees with this, as evidenced by the existence of the > bug and this thread about changing RC. Practically speaking, the way this is "expected" to work is, you get a system with Windows pre-installed, then you install Fedora, and Fedora makes it so you can boot both Fedora and Windows. This is the expectation that's built up around how things ought to work, and it's what the existing criterion is trying to express. In general, people do not start out with Linux installed and then install Windows, this just isn't really a thing that happens a lot. The word 'you' in your text is kinda doing a lot of heavy lifting. I would say that what we (we-as-in-Fedora) are concerned with here are users who do not want to know or care about the details of grub or UEFI or Windows or BitLocker. The user does not really "want" to "move from not using grub to using grub". The user wants to move from only having Windows to having both Windows and Linux. That's the high-level goal here. grub is an implementation detail (chosen by "us", Fedora, not by the user). > The only way to get the TPM state to match not using a particular loader > is to not use a loader - i.e., have grub2 (or efibootmgr in Fedora > userspace) set EFI BootNext and reboot the machine. But generally, if > users want to be booting Windows through grub, we recommend they > configure Bitlocker against those PCR values instead. Is there a good place to point folks who are interested in the technical details here for documentation? Thanks! -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue