On Mon, Sep 19, 2022, at 2:45 PM, Robbie Harwood wrote:
I'm fine with the proposed change. I'm also fine with the
original
text.
During boot, certain actions are taken that are recorded in the TPM.
These include, for instance, any loaders that are run - like grub2. The
result is that if you load Windows from grub2 rather than the EFI
firmware, the TPM state will be different. Bitlocker cares about this
TPM state.
So: if you install Windows and set up Bitlocker booting through grub, it
will continue to work through grub.
The Windows installer drops a payload on the drive, and sets a bootnext for an entry that
points to the Windows bootloader, not via GRUB.
And then, the instant we update either shim or grub, Windows boot will break.
I think working around this is sufficiently tedious no users are likely to do it.
--
Chris Murphy