Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) out of the
box with the encryption key sealed in the TPM. Two different issues result:
1. Fedora's installer, Anaconda, can't resize Bitlocker volumes. We could use
better documentation to help the user perform the volume resize in Windows, before
proceeding to booting our installation media. The documentation probably should be
explicitly referenced by the Windows version of Fedora Media Writer.
2. The Bitlocker encryption key is unsealed only if the boot chain measurement by the TPM
matches the expected values in a TPM PCR. When shim+GRUB are in the boot chain, as is the
case in our default dual boot installation, the measurements are wrong, and this means the
GRUB menu entry to boot Windows won't work. The user is dropped to a Windows Bitlocker
recovery page. If they have their backup encryption key handy, it will work but to say the
least this condition is unexpected and not user friendly - not least of which is many
users won't have this backup key handy since they didn't take the action to enable
Bitlocker in the first place.
The bug report for this is
https://bugzilla.redhat.com/show_bug.cgi?id=2049849
It was a Fedora 36 final release blocking bug, but considered a "difficult to
fix" exceptional case, moving it to Fedora 37 final. Some of the options for
consideration:
a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, so
that instead of chainloading the Windows bootloader from GRUB, GRUB will modify the system
NVRAM such that the next boot (only) will directly boot the Windows bootloader. Thus far
there's no interest by GRUB upstream. Whereas systemd-boot has implemented it.
b. Add a user space utility modifies system NVRAM such that the next boot (only) will
directly boot the Windows bootloader. And also remove the Windows boot entry in GRUB, on
UEFI systems. (It would be retained on BIOS systems.)
c. Change the release criterion.
https://fedoraproject.org/wiki/Fedora_36_Final_Release_Criteria#Windows_d...
Current: The installer must be able to install into free space alongside an existing clean
Windows installation and install a bootloader which can boot into both Windows and
Fedora.
Replacement: The installer must be able to install into free space alongside an existing
clean Windows installation, install and configure a bootloader that will boot Fedora.
d. Consider the problem sufficiently difficult to fix that we need an extension to the
exceptional case allowance, and wave the bug for another release.
Thoughts?
--
Chris Murphy