On 9/19/22 16:45, Robbie Harwood wrote: > Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> writes: > >> For background here, see: >> https://bugzilla.redhat.com/show_bug.cgi?id=2049849 >> >> right now, when installing Fedora alongside a Windows install with >> BitLocker enabled, trying to boot Windows from the Fedora boot menu >> does not work. >> >> We waived the bug as a blocker for Fedora 36 on the basis upstream did >> not consider it fixable within the F36 timeframe. We agreed that if >> upstream still couldn't get this fixed for F37, we'd consider revising >> the criteria. >> >> Well, we're approaching F37 Final and the bug is still open, and >> there's no appreciable movement upstream, so I'm proposing the criteria >> change. I propose we change this: >> >> "The installer must be able to install into free space alongside an >> existing clean Windows installation and install a bootloader which can >> boot into both Windows and Fedora." >> >> to say: >> >> "The installer must be able to install into free space alongside an >> existing clean Windows installation. As long as the Windows >> installation does not have BitLocker enabled, the installer must also >> install a bootloader which can boot into both Windows and Fedora." > > (Fedora grub2 maintainer hat on) > > I'm fine with the proposed change. I'm also fine with the original > text. > > During boot, certain actions are taken that are recorded in the TPM. > These include, for instance, any loaders that are run - like grub2. The > result is that if you load Windows from grub2 rather than the EFI > firmware, the TPM state will be different. Bitlocker cares about this > TPM state. > > So: if you install Windows and set up Bitlocker booting through grub, it > will continue to work through grub. If you install Windows outside grub > (or it's pre-provisioned), it will continue to work outside grub. If > you want to move from not using grub to using grub, then Bitlocker needs > to be reestablished with the new TPM values. > > It is the opinion of the grub2 maintainers that this constitutes being > able to boot both Windows and Fedora today. However, we also understand > that not everyone agrees with this, as evidenced by the existence of the > bug and this thread about changing RC. > > The only way to get the TPM state to match not using a particular loader > is to not use a loader - i.e., have grub2 (or efibootmgr in Fedora > userspace) set EFI BootNext and reboot the machine. But generally, if > users want to be booting Windows through grub, we recommend they > configure Bitlocker against those PCR values instead. That is a terrible user experience. Grub should support setting BootNext and rebooting. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
