Public bug reported:
When GRUB chainloads \EFI\Microsoft\Boot\bootmgfw.efi to boot Windows, the
TPM PCR measurements are altered because GRUB is in the boot chain. This causes
BitLocker to prompt for the recovery key on every boot via GRUB.
.
This affects all Ubuntu dual-boot setups with Windows + BitLocker on UEFI
systems.
.
Workaround: I've developed a workaround that boots a minimal Linux
kernel/initramfs
which sets the UEFI BootNext variable via efibootmgr and immediately reboots.
The
firmware then boots Windows natively with correct TPM state. BitLocker is
happy.
The premount script runs before the LUKS prompt, so you never have to enter
your
Linux disk encryption password just to boot Windows.
.
See: https://gist.github.com/graingert/38d834a24a760d664b3f903ed48d6dca
.
Proposed solution: GRUB (or os-prober / 30_os-prober) should support setting
EFI BootNext and triggering a reboot instead of chainloading. This would make
dual-booting with BitLocker work out of the box without breaking TPM
measurements.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: grub2-common 2.12-1ubuntu7.3
ProcVersionSignature: Ubuntu 6.17.0-19.19~24.04.2-generic 6.17.13
Uname: Linux 6.17.0-19-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Mar 19 12:03:36 2026
InstallationDate: Installed on 2022-07-23 (1335 days ago)
InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
SourcePackage: grub2
Title: GRUB chainloading Windows breaks BitLocker TPM PCR measurements
UpgradeStatus: Upgraded to noble on 2024-09-12 (553 days ago)
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bitlocker dual-boot efi noble tpm wayland-session
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2144897
Title:
GRUB chainloading Windows breaks BitLocker TPM PCR measurements
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2144897/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
