You are not logged in.
I want to have dual boot of Arch and Windows 10 on my ThinkPad P1 Gen 3. Windows 10 came pre-installed with the laptop. After that I successfully installed Arch and am able to boot it. The problem I have is I'm not able to boot Windows from boot loader of my choice: rEFInd. Every time I try to boot Windows from rEFInd I'm getting blue BitLocker recovery screen, asking me to enter recovery key for my drive, as Windows detected an unsafe boot attempt.
I have Secure Boot on. I'm signing both my Linux kernel and my rEFInd binaries using keys generated by rEFInd. I'm not adding any keys manually to my UEFI firmware, instead relying on a signed Shim loader, which is run by UEFI and then gives control to rEFInd. I use Shim's key (not hash) authentication. Secure Boot seems to be working fine from the firmware's side, because with Secure Boot enabled I can run rEFInd and boot into Arch without any issues. It's only Windows that has problems, when trying to boot it from rEFInd.
My Windows 10 partition is encrypted using BitLocker. That seems to be part of the problem, as while booting Windows I'm getting a blue screen informing me about BitLocker's security mechanisms.
Ideally I want to have only manual boot stanzas in refind.conf. My boot stanza for Windows is the following:
menuentry "Windows 10" {
loader \EFI\Microsoft\Boot\bootmgfw.efi
}I also tried booting Windows from rEFInd using it's auto-generated boot options and the result is the same - Windows shows blue BitLocker screen warning because of unsecure boot attempt.
$ efibootmgr -v
(...)
Boot0000* Windows Boot Manager HD(1,GPT,50e6f6b2-2bf2-41e5-9fd2-26adaf4dfd4e,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...4................
Boot0001 rEFInd Boot Manager (direct) HD(1,GPT,50e6f6b2-2bf2-41e5-9fd2-26adaf4dfd4e,0x800,0x82000)/File(\EFI\refind\grubx64.efi)
Boot0002* rEFInd Boot Manager HD(1,GPT,50e6f6b2-2bf2-41e5-9fd2-26adaf4dfd4e,0x800,0x82000)/File(\EFI\refind\shimx64.efi)
(...)Booting Windows directly from UEFI entry 0000 (instead of through rEFInd) works fine - no BitLocker screen showing. So it seems to be rEFInd (or Shim) that does something that Windows detects as unsafe.
As Windows UEFI boot entry has WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...4................, I'm wondering that maybe I need to add BCDOBJECT parameter to my rEFInd stanza to make it work? But then I don't know how to properly do it. Especially what the following parts do and how to add them properly: WINDOWS........., x..., ...4.................
Possibly my post is a duplicate of rEFInd and Bitlocker. I decided to create a new post, as I wanted to give more details.
I tried booting Windows from other boot loader systemd-boot and got the same error. The same when I boot Windows UEFI executable through Shim and PreLoader. So the problem is not in any way unique to rEFInd, but it's a general problem of booting BitLocker-encrypted Windows installation. The only way it works is if you run Windows UEFI executable bootmgfw.efi directly from UEFI (not using any boot loader before it).
Last edited by no-cheating (2021-04-11 16:16:04)
Offline
This StackOverflow comment explains the problem in detail. So it seems it's not possible to use automatic BitLocker decryption on boot when booting to Windows from some external boot manager - you absolutely must boot Windows from UEFI interface directly, or disable BitLocker, or use some non-automatic BitLocker decryption method.
A workaround to this (as suggested by rEFInd author) is to add firmware-based Windows stanza in rEFInd configuration (e.g. menuentry "Windows 10" { firmware_bootnum 0000 }). Instead of booting Windows through rEFInd, it'll reboot the machine and boot Windows through UEFI directly. It increases the boot time (you'll need an additional reboot), but it might be a cost someone is willing to pay to have everything bootable through rEFInd interface. I'm actually using that solution on my machine and it works well for me.
Last edited by no-cheating (2021-04-11 16:12:19)
Offline