Have you tried that approach yet?
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Gu
Hi,
> But they also say this:
>
> | The default state of Secure Boot has a wide circle of trust which can
> | result in customers trusting boot components they may not need. Since
> | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for
> | all Linux distributions, trusting the
On Mon, Aug 1, 2022, at 6:51 AM, Kamil Paral wrote:
>
> I suppose Anaconda would have to be involved, detect encrypted partitions and
> provide a hint when the bootloader is created. It would be a static solution,
> far from ideal, but arguably better than the current state.
I think a GRUB pa
Zammis Clark wrote:
> > It doesn't help that Microsoft does not embed the name of the party
> who submitted an UEFI driver for signing in the signature itself.
>
> Microsoft does do this; it's in an authenticated attribute with OID
> 1.3.6.1.4.1.311.2.1.12, aka "SPC_SP_OPUS_INFO_OBJID", it's doc
On Fri, Jul 29, 2022 at 2:32 PM Chris Murphy
wrote:
> On Fri, Jul 29, 2022, at 4:38 AM, Kamil Paral wrote:
>
> Currently there is this (insufficient, of course):
>
> https://ask.fedoraproject.org/t/windows-with-encrypted-disks-bitlocker-cant-be-booted-from-the-grub-boot-menu/20612
>
>
> Looks pre
> It doesn't help that Microsoft does not embed the name of the party
who submitted an UEFI driver for signing in the signature itself.
Microsoft does do this; it's in an authenticated attribute with OID
1.3.6.1.4.1.311.2.1.12, aka "SPC_SP_OPUS_INFO_OBJID", it's documented as
part of Office do
Florian Weimer wrote:
> But they also say this:
>
> | The default state of Secure Boot has a wide circle of trust which can
> | result in customers trusting boot components they may not need. Since
> | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for
> | all Linux distribution
Nico Kadel-Garcia wrote:
> It's DRM, not ransomware.
Sounds to me like "it's not crap, it's poop". ;-)
> It's locking in, not deleting, your existing access
It sneakily encrypts your data forcing you to fulfill specific conditions to
access it, just like ransomware does.
> and tying it to spec
On Tue, 26 Jul 2022 at 19:06, Chris Murphy wrote:
> b. Add a user space utility modifies system NVRAM such that the next boot
> (only) will directly boot the Windows bootloader.
In fwupd we add a Boot target and sets BootNext to run the capsule
update loader. 99.99% of the time it works just
Once upon a time, Vojtech Trefny said:
> "BitLocker automatic device encryption starts during Out-of-box (OOBE)
> experience.
> However, protection is enabled (armed) only after users sign in with a
> Microsoft Account
> or an Azure Active Directory account. Until that, protection is
> suspended
> * Vitaly Zaitsev via devel:
>
>
> But they also say this:
>
> | The default state of Secure Boot has a wide circle of trust which can
> | result in customers trusting boot components they may not need. Since
> | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for
> | all Linu
On Thu, Jul 28, 2022 at 2:39 PM Chris Adams wrote:
>
> Once upon a time, Vojtech Trefny said:
> > This is also what happens if you choose to "decrypt" your BitLocker
> > volume in Windows so if it is this case, cryptsetup doesn't support
> > it. We intentionally ignored this case mostly because i
On Do, 28.07.22 17:18, Gregory Bartholomew (gregory.lee.bartholo...@gmail.com)
wrote:
> > One is not really supposed to have multiple ESPs on the same
> > medium. ...
>
> That "on the same medium" is an interesting caveat. I've been trying to do
> A/B type configurations where there are two (or m
On Fri, Jul 29, 2022, at 9:29 AM, Philipp Homann wrote:
> Hi,
>
> haven't read all the posts, maybe this was mentioned in one of them.
>
> What about an EFI binary, which sets the next boot entry and initiates
> a reboot?
> This can be loaded by grub with the next boot device as parameter,
> wh
Hi,
haven't read all the posts, maybe this was mentioned in one of them.
What about an EFI binary, which sets the next boot entry and initiates a reboot?
This can be loaded by grub with the next boot device as parameter, which can be
dynamically set on grub config generation.
Or even as a BLS en
On Fri, Jul 29, 2022, at 5:25 AM, Lennart Poettering wrote:
> On Fr, 29.07.22 00:21, Peter Boy (p...@uni-bremen.de) wrote:
>
>> > One is not really supposed to have multiple ESPs
>>
>> I have another question regarding multiple ESPs, maybe a bit
>> off-topic. For software raid we currently have a
On Fri, Jul 29, 2022, at 4:38 AM, Kamil Paral wrote:
>> - Documentation: GRUB's Windows boot option may not work, how to use
>> efibootmgr --bootnext and --bootorder
>
> Currently there is this (insufficient, of course):
> https://ask.fedoraproject.org/t/windows-with-encrypted-disks-bitlocker-c
On Fri, Jul 29, 2022 at 01:52:28PM +0200, Florian Weimer wrote:
> * Daniel P. Berrangé:
>
> >> Unfortunately, Fedora promoted this broken model with pervasive
> >> cross-distribution/cross-OS trust as well. People are generally quick
> >> to criticize those who control a PKI, but very few organiz
* Daniel P. Berrangé:
>> Unfortunately, Fedora promoted this broken model with pervasive
>> cross-distribution/cross-OS trust as well. People are generally quick
>> to criticize those who control a PKI, but very few organizations are
>> willing to step up to hold the key material for the key of l
On 29/07/2022 11:55, Daniel P. Berrangé wrote:
This doesn't mean that everything is suddenly going to be 'Secure-cored"
and thus prevent use of shim out of the box.
They will begin enforcing this "Secure-cored" policy very soon.
An open question is just how widely the OEM hardware vendors wil
On Fri, Jul 29, 2022 at 11:26:15AM +0200, Florian Weimer wrote:
> * Vitaly Zaitsev via devel:
>
> > On 26/07/2022 20:05, Chris Murphy wrote:
> >> Summary: Windows 10/11 increasingly enables Bitlocker (full disk
> >> encryption) out of the box with the encryption key sealed in the TPM. Two
> >> d
On Thu, Jul 28, 2022 at 07:47:15PM +0200, Vitaly Zaitsev via devel wrote:
> On 26/07/2022 20:05, Chris Murphy wrote:
> > Summary: Windows 10/11 increasingly enables Bitlocker (full disk
> > encryption) out of the box with the encryption key sealed in the TPM. Two
> > different issues result:
>
>
* Vitaly Zaitsev via devel:
> On 26/07/2022 20:05, Chris Murphy wrote:
>> Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption)
>> out of the box with the encryption key sealed in the TPM. Two different
>> issues result:
>
> Microsoft has published a new security bulletin
On Fr, 29.07.22 00:21, Peter Boy (p...@uni-bremen.de) wrote:
> > One is not really supposed to have multiple ESPs
>
> I have another question regarding multiple ESPs, maybe a bit
> off-topic. For software raid we currently have a kind of „off-label
> use“. Anaconda puts the ESP on a raid partition
On Thu, Jul 28, 2022 at 6:52 PM Chris Murphy
wrote:
> Short term approaches:
>
> - Documentation: GRUB's Windows boot option may not work, how to use
> efibootmgr --bootnext and --bootorder
>
Currently there is this (insufficient, of course):
https://ask.fedoraproject.org/t/windows-with-encrypte
> On 29 Jul 2022, at 06:53, Nico Kadel-Garcia wrote:
>
> On Tue, Jul 26, 2022 at 4:07 PM Kevin Kofler via devel
> wrote:
>>
>> Chris Murphy wrote:
>>> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value,
>>> so that instead of chainloading the Windows bootloader from GR
On Tue, Jul 26, 2022 at 9:16 PM Kevin Kofler via devel
wrote:
>
> Chris Murphy wrote:
> > Summary: Windows 10/11 increasingly enables Bitlocker (full disk
> > encryption) out of the box with the encryption key sealed in the TPM.
> […]
> > The Bitlocker encryption key is unsealed only if the boot c
On Tue, Jul 26, 2022 at 4:07 PM Kevin Kofler via devel
wrote:
>
> Chris Murphy wrote:
> > a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value,
> > so that instead of chainloading the Windows bootloader from GRUB, GRUB
> > will modify the system NVRAM such that the next boot (
> Am 28.07.2022 um 22:17 schrieb Lennart Poettering :
>
> One is not really supposed to have multiple ESPs
I have another question regarding multiple ESPs, maybe a bit off-topic. For
software raid we currently have a kind of „off-label use“. Anaconda puts the
ESP on a raid partition (and the
On Thu, Jul 28, 2022 at 3:17 PM Lennart Poettering
wrote:
> On Do, 28.07.22 15:03, Chris Murphy (li...@colorremedies.com) wrote:
>
> > > Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR
> so that the firmware will pick it up properly. The only problem is when
> using the bootc
On Do, 28.07.22 15:03, Chris Murphy (li...@colorremedies.com) wrote:
> > Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR so
> > that the firmware will pick it up properly. The only problem is when using
> > the bootctl command to initialize that partition (/boot), it require
On Do, 28.07.22 13:05, Gregory Bartholomew (gregory.lee.bartholo...@gmail.com)
wrote:
> VFAT-formatted version of the partition somewhere and perhaps leave the old
> one as a (temporary) failback. Besides the bootloader itself, all that is
> really on the /boot partition is the kernel and initram
On Thu, Jul 28, 2022, at 2:47 PM, Gregory Bartholomew wrote:
> On Thu, Jul 28, 2022 at 1:34 PM Chris Murphy wrote:
>> Seems to me the only valid type code for a merged ESP+XBOOTLDR is ESP. What
>> am I missing?
>
> Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR so that
>
On Thu, Jul 28, 2022 at 1:34 PM Chris Murphy
wrote:
> Seems to me the only valid type code for a merged ESP+XBOOTLDR is ESP.
> What am I missing?
>
Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR so
that the firmware will pick it up properly. The only problem is when using
t
On Thu, Jul 28, 2022, at 2:05 PM, Gregory Bartholomew wrote:
>
> Also, this might be a little off-topic, but I've recommend that people use
> systemd-boot when trying to dual-boot Windows before:
> https://ask.fedoraproject.org/t/dual-booting-windows-10-and-fedora-34/14158/2
> The user repor
On Thu, Jul 28, 2022 at 10:40 AM Lennart Poettering
wrote:
> ...
>
> But anyway, I am actually advocating for sticking to VFAT
> everywhere. ext4 drivers in the boot loader only are necessary for the
> upgrade path.
>
>
I'd like to 2nd the motion to try to stick with VFAT in the boot path until
r
On 26/07/2022 20:05, Chris Murphy wrote:
Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption)
out of the box with the encryption key sealed in the TPM. Two different issues
result:
Microsoft has published a new security bulletin on the current state of
Secure Boot:
h
OK. Happy day, we have maybe come full circle. Here's my attempt at a summary:
* systemd-boot should be evaluated for Secure Boot signing, so that it can be a
viable and testable alternative bootloader to GRUB. Maybe this opens the door
to changing the default bootloader in Fedora down the road
On Do, 28.07.22 10:25, Chris Adams (li...@cmadams.net) wrote:
> Once upon a time, Lennart Poettering said:
> > Given the overlap of the Fedora/RH boot loader folks and the shim
> > folks, I think there's definitely an avenue to get systemd-boot signed
> > as payload for SHIM, as alternative to Gr
On Do, 28.07.22 16:54, Petr Pisar (ppi...@redhat.com) wrote:
> > This sounds pretty awesome, actually. I'd like to see that get
> > implemented...
> >
> Unfortunatelly (complex) file system drivers are not written with safety
> on mind. They rather prefer performance over security. If somebody si
Once upon a time, Lennart Poettering said:
> Given the overlap of the Fedora/RH boot loader folks and the shim
> folks, I think there's definitely an avenue to get systemd-boot signed
> as payload for SHIM, as alternative to Grub. If Fedora wants this, and
> has the man power for it, it should be
Sorry for showing up here unannounced.
This is a very strange claim. I'm not speaking in any official capacity but at
least __personally__ being at the Linux Systems Group at MSFT I've never have
encountered any hard requirement on grub.
In any case, I want to point out a few things:
* Some of t
V Thu, Jul 28, 2022 at 06:31:55AM -0700, Neal Gompa napsal(a):
> On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering
> wrote:
> >
> > On Mi, 27.07.22 16:50, Chris Murphy (li...@colorremedies.com) wrote:
> >
> > > > I prefer no shim in my computers. I'm using systemd-boot signed by my
> > > > own C
On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering wrote:
>
> On Mi, 27.07.22 16:50, Chris Murphy (li...@colorremedies.com) wrote:
>
> > > I prefer no shim in my computers. I'm using systemd-boot signed by my
> > > own CA.
> >
> > That is not a generic solution we can ship in Fedora. Since each
>
On Di, 26.07.22 13:37, Neal Gompa (ngomp...@gmail.com) wrote:
> > > As I already mentioned the last time this has come up: Why can we not,
> > > instead of chainloading Windows directly, chainload a systemd-boot
> > > configured to always bootnext to Windows?
> >
> > Pretty sure shim still hard co
Once upon a time, Vojtech Trefny said:
> This is also what happens if you choose to "decrypt" your BitLocker
> volume in Windows so if it is this case, cryptsetup doesn't support
> it. We intentionally ignored this case mostly because it looked like a
> small corner case (if you choose do decrypt
On Thu, Jul 28, 2022, at 2:11 AM, Vojtech Trefny wrote:
> On Wed, Jul 27, 2022 at 5:53 PM Chris Murphy wrote:
>>
>>
>>
>> On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote:
>> > Once upon a time, Neal Gompa said:
>> >> My understanding is that Windows preloads are now blank-encrypted.
>> >>
On Wed, Jul 27, 2022 at 5:53 PM Chris Murphy wrote:
>
>
>
> On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote:
> > Once upon a time, Neal Gompa said:
> >> My understanding is that Windows preloads are now blank-encrypted.
> >> That is, there's a BitLocker volume wrapping the filesystem, even w
On Wed, Jul 27, 2022, at 9:46 PM, Stephen Smoogen wrote:
>
>
> On Wed, Jul 27, 2022 at 17:37 Chris Murphy wrote:
>>
>>
>> On Wed, Jul 27, 2022, at 5:07 PM, Lennart Poettering wrote:
>> > On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote:
>> > 65;6800;1c
>>
>> >> If the add
On Mi, 27.07.22 17:35, Chris Murphy (li...@colorremedies.com) wrote:
> >> If the additional barrier to adoption that Fedora imposes is that
> >> every distro needs to also include signed efifs ext4 in order to
> >> read $BOOT, I think it's too much.
> >
> > I do not follow that logic. First of all
On Mi, 27.07.22 17:15, Chris Murphy (li...@colorremedies.com) wrote:
>
>
> On Wed, Jul 27, 2022, at 4:47 PM, Lennart Poettering wrote:
> > On Mi, 27.07.22 16:19, Chris Murphy (li...@colorremedies.com) wrote:
> >
> >> >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or
> >> >
On Wed, Jul 27, 2022 at 17:37 Chris Murphy wrote:
>
>
> On Wed, Jul 27, 2022, at 5:07 PM, Lennart Poettering wrote:
> > On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote:
> > 65;6800;1c
>
> >> If the additional barrier to adoption that Fedora imposes is that
> >> every distro ne
On 7/26/22 21:56, Chris Murphy wrote:
>
>
> On Tue, Jul 26, 2022, at 7:18 PM, Chris Adams wrote:
>> Once upon a time, Chris Murphy said:
>>> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value,
>>> so that instead of chainloading the Windows bootloader from GRUB, GRUB will
On Wed, Jul 27, 2022, at 5:07 PM, Lennart Poettering wrote:
> On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote:
> 65;6800;1c
>> If the additional barrier to adoption that Fedora imposes is that
>> every distro needs to also include signed efifs ext4 in order to
>> read $BOOT,
On Wed, Jul 27, 2022 at 10:31 PM Lennart Poettering
wrote:
>
[...]
> > The lack of an upgrade path, I think, is a bigger issue than a
> > system-wide change proposal to: switch to systemd-boot on UEFI,
> > including FAT /boot partition, for new clean installs.
>
> I don't think the upgrade path
On Wed, Jul 27, 2022, at 4:47 PM, Lennart Poettering wrote:
> On Mi, 27.07.22 16:19, Chris Murphy (li...@colorremedies.com) wrote:
>
>> >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or
>> >> Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be
>> >>
On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote:
65;6800;1c
>
>
> On Wed, Jul 27, 2022, at 4:30 PM, Lennart Poettering wrote:
>
> > So, let's say you want to make sd-boot be able to access a legacy ext4
> > /boot/ fs. First, fix the GPT partition type of that /boot/ partition
>
On Mi, 27.07.22 16:50, Chris Murphy (li...@colorremedies.com) wrote:
> > I prefer no shim in my computers. I'm using systemd-boot signed by my
> > own CA.
>
> That is not a generic solution we can ship in Fedora. Since each
> distro ships their own shim, they'd each have to ship their own
> signed
On Wed, Jul 27, 2022, at 4:30 PM, Lennart Poettering wrote:
> So, let's say you want to make sd-boot be able to access a legacy ext4
> /boot/ fs. First, fix the GPT partition type of that /boot/ partition
> to be the XBOOTLDR one (so that sd-boot can recognize it; currently
> fedora for some rea
On Wed, Jul 27, 2022, at 4:27 PM, Vitaly Zaitsev via devel wrote:
> On 27/07/2022 22:19, Chris Murphy wrote:
>> * $BOOT is supposed to be readable by all distros that share $BOOT
>
> It will. efifs will be installed to ESP partition.
>
>> * efifs drivers must be signed in order to be loaded on UE
On Mi, 27.07.22 16:19, Chris Murphy (li...@colorremedies.com) wrote:
> >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or
> >> Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be
> >> FAT in order to fulfill the interoperability intent of the spec, bec
On Mi, 27.07.22 10:13, Chris Murphy (li...@colorremedies.com) wrote:
> > Since you say systemd-boot can already do what we want in this regard:
> >
> > e. Replace grub for EFI systems with systemd-boot ?
>
> I wish it were possible. I'm pretty sure the Red Hat bootloader team
> has no time or in
On 27/07/2022 22:19, Chris Murphy wrote:
* $BOOT is supposed to be readable by all distros that share $BOOT
It will. efifs will be installed to ESP partition.
* efifs drivers must be signed in order to be loaded on UEFI Secure Boot
enabled systems
True. But I think Fedora can sign drivers
On Wed, Jul 27, 2022, at 2:36 PM, Vitaly Zaitsev via devel wrote:
> On 27/07/2022 18:53, Chris Murphy wrote:
>> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or
>> Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be FAT
>> in order to fulfill the inter
On 27/07/2022 18:53, Chris Murphy wrote:
Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or Extended
Boot Loader Partition (XBOOTLDR), and in effect they need to be FAT in order to
fulfill the interoperability intent of the spec, because it is a shared $BOOT
across all dist
On Wed, Jul 27, 2022, at 1:17 PM, Milan Broz wrote:
> On 27/07/2022 17:52, Chris Murphy wrote:
>> On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote:
>>> Once upon a time, Neal Gompa said:
My understanding is that Windows preloads are now blank-encrypted.
That is, there's a BitLocker
On 27/07/2022 17:52, Chris Murphy wrote:
On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote:
Once upon a time, Neal Gompa said:
My understanding is that Windows preloads are now blank-encrypted.
That is, there's a BitLocker volume wrapping the filesystem, even with
encryption turned off. It
On Wed, Jul 27, 2022, at 12:11 PM, Daniel P. Berrangé wrote:
> On Wed, Jul 27, 2022 at 10:13:57AM -0400, Chris Murphy wrote:
>>
>>
>> On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote:
>> >
>> > Since you say systemd-boot can already do what we want in this regard:
>> >
>> > e. Replace
On Wed, Jul 27, 2022 at 10:13:57AM -0400, Chris Murphy wrote:
>
>
> On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote:
> >
> > Since you say systemd-boot can already do what we want in this regard:
> >
> > e. Replace grub for EFI systems with systemd-boot ?
>
> I wish it were possible
On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote:
> Once upon a time, Neal Gompa said:
>> My understanding is that Windows preloads are now blank-encrypted.
>> That is, there's a BitLocker volume wrapping the filesystem, even with
>> encryption turned off. It makes encrypting the disk later
Once upon a time, Neal Gompa said:
> My understanding is that Windows preloads are now blank-encrypted.
> That is, there's a BitLocker volume wrapping the filesystem, even with
> encryption turned off. It makes encrypting the disk later
> significantly easier (it doesn't have to do filesystem resi
On Wed, Jul 27, 2022 at 7:15 AM Chris Adams wrote:
>
> Once upon a time, Chris Murphy said:
> > This is a good point to underscore. The user experience following a Fedora
> > installation when Bitlocker is enabled, is the appearance of Windows being
> > broken or inaccessible. We are probably b
On Wed, Jul 27, 2022 at 12:12 PM Vitaly Zaitsev via devel
wrote:
>
> On 26/07/2022 20:05, Chris Murphy wrote:
> > Thoughts?
>
> e. Switch from GRUB 2 to systemd-boot for the UEFI installations.
Making it easier to choose to install systemd-boot
rather than grub (including signing systemd-boot)
at
Once upon a time, Chris Murphy said:
> This is a good point to underscore. The user experience following a Fedora
> installation when Bitlocker is enabled, is the appearance of Windows being
> broken or inaccessible. We are probably better off asking Anaconda to refuse
> to install when Bitlock
On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote:
>
> Since you say systemd-boot can already do what we want in this regard:
>
> e. Replace grub for EFI systems with systemd-boot ?
I wish it were possible. I'm pretty sure the Red Hat bootloader team has no
time or interest in it. An
On Wed, Jul 27, 2022, at 5:55 AM, Kamil Paral wrote:
>
> I've been to numerous events where we helped students install Fedora into
> dual boot. One of the top 5 questions afterwards (maybe even #1) is "how do I
> make it boot Windows by default?". In the old days, that consisted of editing
>
On 26/07/2022 20:05, Chris Murphy wrote:
Thoughts?
e. Switch from GRUB 2 to systemd-boot for the UEFI installations.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an
On Tue, Jul 26, 2022 at 8:06 PM Chris Murphy
wrote:
> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value,
> so that instead of chainloading the Windows bootloader from GRUB, GRUB will
> modify the system NVRAM such that the next boot (only) will directly boot
> the Windows
On Tue, Jul 26, 2022 at 02:05:24PM -0400, Chris Murphy wrote:
> Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption)
> out of the box with the encryption key sealed in the TPM. Two different
> issues result:
>
> 1. Fedora's installer, Anaconda, can't resize Bitlocker volu
On Wed, Jul 27, 2022 at 05:07:39AM +0200, Kevin Kofler via devel wrote:
> Chris Murphy wrote:
> > cryptsetup does have Bitlocker support, so long as you have the recovery
> > key you can unlock and get access to your data, I've tested this.
>
> But you need a recovery key to begin with, because th
Chris Murphy wrote:
> cryptsetup does have Bitlocker support, so long as you have the recovery
> key you can unlock and get access to your data, I've tested this.
But you need a recovery key to begin with, because the main key is sealed in
the TPM and not visible from anything other than Windows.
Could someone sign systemd-boot please? That EFI boot seems simple to
use and very minimal especially for both x64 arch based desktop and laptop.
On 2022-07-26 16:14, Chris Murphy wrote:
On Tue, Jul 26, 2022, at 4:42 PM, Kevin Kofler via devel wrote:
Chris Murphy wrote:
On Tue, Jul 26, 2022,
On Tue, Jul 26, 2022, at 7:18 PM, Chris Adams wrote:
> Once upon a time, Chris Murphy said:
>> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value,
>> so that instead of chainloading the Windows bootloader from GRUB, GRUB will
>> modify the system NVRAM such that the next
On Tue, Jul 26, 2022, at 9:15 PM, Kevin Kofler via devel wrote:
> Chris Murphy wrote:
>> Summary: Windows 10/11 increasingly enables Bitlocker (full disk
>> encryption) out of the box with the encryption key sealed in the TPM.
> […]
>> The Bitlocker encryption key is unsealed only if the boot cha
Chris Murphy wrote:
> Summary: Windows 10/11 increasingly enables Bitlocker (full disk
> encryption) out of the box with the encryption key sealed in the TPM.
[…]
> The Bitlocker encryption key is unsealed only if the boot chain
> measurement by the TPM matches the expected values in a TPM PCR.
So
Chris Murphy wrote:
> It's a Rube Goldberg machine way of doing this.
Isn't that the Unix Way?
Kevin Kofler
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code o
On Tue, Jul 26, 2022, at 4:59 PM, Neal Gompa wrote:
> On Tue, Jul 26, 2022 at 1:43 PM Kevin Kofler via devel
> wrote:
>>
>> Chris Murphy wrote:
>> > On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote:
>> >> As I already mentioned the last time this has come up: Why can we not,
>> >>
Once upon a time, Chris Murphy said:
> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, so
> that instead of chainloading the Windows bootloader from GRUB, GRUB will
> modify the system NVRAM such that the next boot (only) will directly boot the
> Windows bootloader. T
On Tue, Jul 26, 2022, at 4:42 PM, Kevin Kofler via devel wrote:
> Chris Murphy wrote:
>> On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote:
>>> As I already mentioned the last time this has come up: Why can we not,
>>> instead of chainloading Windows directly, chainload a systemd-boo
On Tue, Jul 26, 2022 at 1:43 PM Kevin Kofler via devel
wrote:
>
> Chris Murphy wrote:
> > On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote:
> >> As I already mentioned the last time this has come up: Why can we not,
> >> instead of chainloading Windows directly, chainload a systemd-b
Chris Murphy wrote:
> On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote:
>> As I already mentioned the last time this has come up: Why can we not,
>> instead of chainloading Windows directly, chainload a systemd-boot
>> configured to always bootnext to Windows?
>
> Pretty sure shim st
On Tue, Jul 26, 2022 at 1:12 PM Chris Murphy wrote:
>
>
>
> On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote:
>
> > As I already mentioned the last time this has come up: Why can we not,
> > instead of chainloading Windows directly, chainload a systemd-boot
> > configured to always b
On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote:
> As I already mentioned the last time this has come up: Why can we not,
> instead of chainloading Windows directly, chainload a systemd-boot
> configured to always bootnext to Windows?
Pretty sure shim still hard codes the name
Chris Murphy wrote:
> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value,
> so that instead of chainloading the Windows bootloader from GRUB, GRUB
> will modify the system NVRAM such that the next boot (only) will directly
> boot the Windows bootloader. Thus far there's no in
Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption)
out of the box with the encryption key sealed in the TPM. Two different issues
result:
1. Fedora's installer, Anaconda, can't resize Bitlocker volumes. We could use
better documentation to help the user perform the vol
95 matches
Mail list logo