Adam Williamson <adamw...@fedoraproject.org> writes: > For background here, see: > https://bugzilla.redhat.com/show_bug.cgi?id=2049849 > > right now, when installing Fedora alongside a Windows install with > BitLocker enabled, trying to boot Windows from the Fedora boot menu > does not work. > > We waived the bug as a blocker for Fedora 36 on the basis upstream did > not consider it fixable within the F36 timeframe. We agreed that if > upstream still couldn't get this fixed for F37, we'd consider revising > the criteria. > > Well, we're approaching F37 Final and the bug is still open, and > there's no appreciable movement upstream, so I'm proposing the criteria > change. I propose we change this: > > "The installer must be able to install into free space alongside an > existing clean Windows installation and install a bootloader which can > boot into both Windows and Fedora." > > to say: > > "The installer must be able to install into free space alongside an > existing clean Windows installation. As long as the Windows > installation does not have BitLocker enabled, the installer must also > install a bootloader which can boot into both Windows and Fedora."
(Fedora grub2 maintainer hat on) I'm fine with the proposed change. I'm also fine with the original text. During boot, certain actions are taken that are recorded in the TPM. These include, for instance, any loaders that are run - like grub2. The result is that if you load Windows from grub2 rather than the EFI firmware, the TPM state will be different. Bitlocker cares about this TPM state. So: if you install Windows and set up Bitlocker booting through grub, it will continue to work through grub. If you install Windows outside grub (or it's pre-provisioned), it will continue to work outside grub. If you want to move from not using grub to using grub, then Bitlocker needs to be reestablished with the new TPM values. It is the opinion of the grub2 maintainers that this constitutes being able to boot both Windows and Fedora today. However, we also understand that not everyone agrees with this, as evidenced by the existence of the bug and this thread about changing RC. The only way to get the TPM state to match not using a particular loader is to not use a loader - i.e., have grub2 (or efibootmgr in Fedora userspace) set EFI BootNext and reboot the machine. But generally, if users want to be booting Windows through grub, we recommend they configure Bitlocker against those PCR values instead. Be well, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
