Arch Linux

ThreeMonkeys

Member

Registered: 2015-07-10

Posts: 14

rEFInd and Bitlocker

Hi,

I've been using Archlinux, Windows (nobody's perfect) and rEFInd for a few years. I configured Secure Boot (with shim). I was perfectly happy with this configuration, until I decided to activate Bitlocker for Windows. As I have a TPM device on my motherboard, I decided to use PIN protection. Everything works fine except one thing : every time I boot WIndows through rEFInd, after the PIN, Windows asks for a recovery key because "something changed since the last use of Windows". I know the TPM checks if some PCR values changed since the last boot (ROM, hard drives, and so ever) before releasing the key with the PIN. What I don't understand is what is changing.

The root cause seems to be rEFInd:

• without rEFInd, when using UEFI boot menu directly, Bitlocker asks for the PIN and everything is fine, even when I switch from Linux to Windows and vice-versa;

• with rEFInd, even from Windows to Windows, Bitlocker asks for the PIN *and* for the recovery PIN (defeating the purpose of the PIN, of course);

• I tried to find which PCR is changing, it's easy with Linux, but I don't know how to do it with Windows ;

• no problem with Archlinux, through rEFINd or through UEFI boot menu.

I tried to disable hidden_tags in rEFInd configuration, as it uses NVRAM to store some informations (and I think that TPM checks if NVRAM data changed), but no luck.

What could I try in order to solve this issue? I really like rEFInd, but eventually I'll replace it with systemd-boot if I don't find any solution.

Elektro

Member

From: Spain

Registered: 2009-05-28

Posts: 16

Re: rEFInd and Bitlocker

Hello.

I'm facing this problem too. Do you managed to solve it?

In my case, I tried to use systemd-boot signed but I couldn't successfully use shim or Preloader. My bios refuses it.

Regards.

no-cheating

Member

From: Poland

Registered: 2016-04-26

Posts: 61

Re: rEFInd and Bitlocker

This StackOverflow comment explains the problem in detail. It seems it's not possible to use automatic BitLocker decryption on boot (TPM-based) when booting to Windows from some external boot manager - you absolutely must boot Windows from UEFI interface directly, or disable BitLocker, or use some non-automatic (non-TPM-based) BitLocker decryption method.

A workaround to this (as suggested by rEFInd author) is to add firmware-based Windows stanza in rEFInd configuration (e.g. menuentry "Windows 10" { firmware_bootnum 0000 }). Instead of booting Windows through rEFInd, it'll reboot the machine and boot Windows through UEFI directly. It increases the boot time (you'll need an additional reboot), but it might be a cost someone is willing to pay to have everything bootable through rEFInd interface. I'm actually using that solution on my machine and it works well for me.