Windows with Bitlocker and Secure Boot and TPM both active can’t be booted from the GRUB

Hi all,

This is ment to be a follow up from a recent post from @kparal which seems to be closed now.

Windows with encrypted disks (Bitlocker) can’t be booted from the GRUB boot menu

Workarounds1:

When you want to boot into encrypted Windows installation, you must invoke an UEFI one-time boot menu (immediately after your system is started), from which you can boot into Windows directly, avoiding the GRUB boot loader. This one-time boot menu is often invoked by pressing keys such as Esc or F12 , but each system has its own configuration. It’s also possible that you’ll need to enable this menu first in the UEFI setup , often accessible by pressing Esc , F1 or Enter during startup (again, each system is different, consult your system/motherboard documentation or on-screen hints during power-on).

The main limitation here is that GNU/GRUB has no feature (AFAISK) to modify directly EFI/NVRAM variables. If GRUB could we would be able to:

  1. Add a GRUB menuentry which could indicate that the next boot will be for Windows 10/11
  2. It would point for the next boot to EFI/Microsoft/Boot/bootmgfw.efi
  3. After booting and furthermore exiting Windows the future next boot would revert to Fedora

This GRUB menuentry would be similar to the last one fwsetup already standard in Fedora Workstation (I’m using Silverblue) generated by /boot/grub2/grub.cfg :

### BEGIN /etc/grub.d/30_uefi-firmware ### menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###

Maybe we could workaround this GRUB limitation and still keep it user friendly, in a foreseeable future were almost all new desktop may be installed with: TPM active, Secure Boot Active and Windows 10+ with Bitlocker active: What about this :

Creating a GRUB menu entry which would boot a Fedora kernel (and parameters) and then load a stripped down initramfs
This for the sole purpose to access /usr/bin/efibootmgr

And then to create or locate the NVRAM entry for Windows and execute a bootnext locked into <Windows UUID disk>/EFI/Microsoft/Boot/bootmgfw.efi

Being a newbie here, I’ll try to set this up if possible but I do lack many of the necessary knowledge.

1 Like

A related ticket: Issue #278: Future of dual booting Windows and Fedora - fedora-workstation - Pagure.io

Using a Microsoft Surface Go … impossible to install Fedora 35 forgetting to deactivate Bitlocker, secure boot disabled => error concerning Bitlocker. Tried again with secure boot enabled : worked like a charm. You can retrieve your Bitlocker key from your Microsoft account.

Thanks @kparal

This is most helpful.

By the way, related to this thread, there seems to be also for grub shipped within Fedora, some features that have been lost or unavailable or broken

  1. loopback command generates errors

grub> loopback loop /Fedora-Workstation-Live-x64_86-36_Beta-1.4.iso
error: ../../grub-core/kern/mm.c:376: out of memory
This error est for different versions of grub2 from Fedora 33 to Fedora 37
Then loopback command works without error only for Fedora 32 (Whose EOL is in 1 month…) and previous versions

  1. smbios module doesn’t exist in Fedora Sources Packages but is documented by Red Hat Bootloader Team

  2. Some recent EFI features exist but are not accessible: connectefi and efifwsetup

  3. Any documentation or tools to explain how Internationalization for grub could be done in Fedora (Fr Language and Keyboard for example) is lacking

I can’t file an entry in Bugzilla and I do not known how to contact the maintainers of Fedora Source Package for rpm/grub2

Since grub2 has to be signed by Fedora so that in SecureBoot on mode, shim would not hand over to grub otherwise, creating a compiled custom GNU/Grub from upstream is not feasible

Can anyone help and forward those elements so it can be shared / discussed ?

Thank you @marko23

Could you please be more specific on how it did work with SecureBoot on, Bitlocker on and TPM 2.0 on ? Do you have a working Windows 10 Grub Menu entry ?

Thanks for sharing step by step if possible

Dual boot Fedora + Windows? … Microsoft with W10 changed going to digital license linked to Microsoft account and electronic signature of your device. This allows to change device leaping from one to another, one licence, one device linked to same MS account. All Surface devices have TPM 2.0 and EFI on flash memory so the digital signature is loaded somewhere from a chip or whole device. If my Surface Go boots with secure boot enabled, Microsoft and Red Hat have an agreement as Fedora is directly linked to Red Hat.
I’m using now Fedora 36 with Microsoft Edge linked to my MS account having access to OneDrive, Office online, Azure T-SQL and cognitive services. Also Visual Studio Code as Microsoft has many apps on Linux platform.
I don’t think that dual boot is possible as Microsoft telemetry will block things, no blame, no shame. I can’t load another OS, limited access to BIOS being closed hardware for Surface devices and having erased recovery partition. Grub will probably hit the same wall …
My knowledge about Bitlocker comes from my first generation Surface Go with W10 Pro. As Insider on ineligible device, I used W11 then went back to W10 but downgraded to Home edition with Bitlocker enabled but no key to unlock needing service by Microsoft to reinstall Windows (yes, even MS gets confused …).

@marko23 : Most interesting !

And how did you install Fedora on your Surface ? With the iso provided at getfedora.org: Download Fedora 36 Workstation ?

First with 35 iso, after update to 36 by DNF, finally reinstall with 36 beta iso

Thanks. @marko23

I have a DELL my install is comparable to yours and to switch from one to the other I need a Grub Menu entry.

And how do you switch between Fedora and Windows on your Windows Surface ?

I don’t … one device, one OS (Fedora, Red Hat, Ubuntu, … no Windows but access to services like I do with Google => WaaS : Windows as a Service). I think that you are following a lost path, Microsoft is stopping development with W11, telemetry will block activation of license. Explore MS apps on Linux and Android, Ubuntu is the reference platform but Fedora works fine. Ubuntu 22.04 LTS is based on Snap, things can change …

I answered on Android smartphone using Gmail Go, adding text on Surface Go with Fedora. I use MS Authenticator on very simple smartphone linked to Surface Go to use NVidia software on Ubuntu based workstation using cuda on GPU device … your question links to something else …

Thanks @marko23

It is most informative as I didn’t have no clue at all about the Microsoft Windows switch from Installed OS in MWindows 11 to Windows as a Service…

I’ll have to dig infos about this…

You have missed something … W10 is an amazing point for Microsoft switching to useful MS account developing apps on iOS, Android and Linux while muscling Azure resources : T-SQL database all in the cloud and cognitive services built in small pieces like a LEGO kit. The OS was developed following CI always updated staying W10, sooner or later simply Windows. Not completely open source but something very close. Red Hat is now tied to IBM with access to IBM Cloud with similar approach like Azure toolkit, very high level resources and Power 10 CPU.

W11 is going backwards, Fedora close to Red Hat is moving fast being IBM playground.

To me it sounds normal that the TPM chip asks for the Bitlocker PIN at Windows OS boot-time, Bitlocker is Windows OS, not Fedora… so it seems logical to me that if you want to access the HDD/SSD where a Windows OS is installed asks for the Bitlocker PIN…
or am I missing the point here?

Not so simple … BitLocker was introduced in Windows Vista, TPM is a security feature being mandatory for W11 with TPM 2.0 and apparently not supported in Linux kernel. Secure boot is a feature introduced by Intel developing EFI as a replacement for BIOS as industry standard. I’m using a Microsoft Surface Go with Fedora, secure boot disabled gives BitLocker warning but still boots, enabled works like a charm but Grub hidden if used. I also installed W10 Pro edition on desktop without TPM, everything works including Bitlocker and Azure connection. Grub is an old feature set to enable downgrading kernel version if necessary. Microsoft is getting nervous using telemetry to secure information, dual booting with it is a mistake.

I’m not using Bitlocker, but booting Windows 11 via GRUB is now failing for me (frozen boot animation), while booting from the motherboard boot list works. Could it be the same issue?

Details:

  • Secure Boot enabled
  • UEFI (disabled legacy support)