Re: future of dual booting Windows and Fedora, redux

2024-05-28 Thread Hieu Ha
Have you tried that approach yet? -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Gu

Re: future of dual booting Windows and Fedora, redux

2022-08-16 Thread Gerd Hoffmann
Hi, > But they also say this: > > | The default state of Secure Boot has a wide circle of trust which can > | result in customers trusting boot components they may not need. Since > | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for > | all Linux distributions, trusting the

Re: future of dual booting Windows and Fedora, redux

2022-08-01 Thread Chris Murphy
On Mon, Aug 1, 2022, at 6:51 AM, Kamil Paral wrote: > > I suppose Anaconda would have to be involved, detect encrypted partitions and > provide a hint when the bootloader is created. It would be a static solution, > far from ideal, but arguably better than the current state. I think a GRUB pa

Re: future of dual booting Windows and Fedora, redux

2022-08-01 Thread Kevin Kofler via devel
Zammis Clark wrote: > > It doesn't help that Microsoft does not embed the name of the party > who submitted an UEFI driver for signing in the signature itself. > > Microsoft does do this; it's in an authenticated attribute with OID > 1.3.6.1.4.1.311.2.1.12, aka "SPC_SP_OPUS_INFO_OBJID", it's doc

Re: future of dual booting Windows and Fedora, redux

2022-08-01 Thread Kamil Paral
On Fri, Jul 29, 2022 at 2:32 PM Chris Murphy wrote: > On Fri, Jul 29, 2022, at 4:38 AM, Kamil Paral wrote: > > Currently there is this (insufficient, of course): > > https://ask.fedoraproject.org/t/windows-with-encrypted-disks-bitlocker-cant-be-booted-from-the-grub-boot-menu/20612 > > > Looks pre

Re: future of dual booting Windows and Fedora, redux

2022-08-01 Thread Zammis Clark
> It doesn't help that Microsoft does not embed the name of the party who submitted an UEFI driver for signing in the signature itself. Microsoft does do this; it's in an authenticated attribute with OID 1.3.6.1.4.1.311.2.1.12, aka "SPC_SP_OPUS_INFO_OBJID", it's documented as part of Office do

Re: future of dual booting Windows and Fedora, redux

2022-07-30 Thread Kevin Kofler via devel
Florian Weimer wrote: > But they also say this: > > | The default state of Secure Boot has a wide circle of trust which can > | result in customers trusting boot components they may not need. Since > | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for > | all Linux distribution

Re: future of dual booting Windows and Fedora, redux

2022-07-30 Thread Kevin Kofler via devel
Nico Kadel-Garcia wrote: > It's DRM, not ransomware. Sounds to me like "it's not crap, it's poop". ;-) > It's locking in, not deleting, your existing access It sneakily encrypts your data forcing you to fulfill specific conditions to access it, just like ransomware does. > and tying it to spec

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Richard Hughes
On Tue, 26 Jul 2022 at 19:06, Chris Murphy wrote: > b. Add a user space utility modifies system NVRAM such that the next boot > (only) will directly boot the Windows bootloader. In fwupd we add a Boot target and sets BootNext to run the capsule update loader. 99.99% of the time it works just

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-29 Thread Chris Adams
Once upon a time, Vojtech Trefny said: > "BitLocker automatic device encryption starts during Out-of-box (OOBE) > experience. > However, protection is enabled (armed) only after users sign in with a > Microsoft Account > or an Azure Active Directory account. Until that, protection is > suspended

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Luca Boccassi
> * Vitaly Zaitsev via devel: > > > But they also say this: > > | The default state of Secure Boot has a wide circle of trust which can > | result in customers trusting boot components they may not need. Since > | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for > | all Linu

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-29 Thread Vojtech Trefny
On Thu, Jul 28, 2022 at 2:39 PM Chris Adams wrote: > > Once upon a time, Vojtech Trefny said: > > This is also what happens if you choose to "decrypt" your BitLocker > > volume in Windows so if it is this case, cryptsetup doesn't support > > it. We intentionally ignored this case mostly because i

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Lennart Poettering
On Do, 28.07.22 17:18, Gregory Bartholomew (gregory.lee.bartholo...@gmail.com) wrote: > > One is not really supposed to have multiple ESPs on the same > > medium. ... > > That "on the same medium" is an interesting caveat. I've been trying to do > A/B type configurations where there are two (or m

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Chris Murphy
On Fri, Jul 29, 2022, at 9:29 AM, Philipp Homann wrote: > Hi, > > haven't read all the posts, maybe this was mentioned in one of them. > > What about an EFI binary, which sets the next boot entry and initiates > a reboot? > This can be loaded by grub with the next boot device as parameter, > wh

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Philipp Homann
Hi, haven't read all the posts, maybe this was mentioned in one of them. What about an EFI binary, which sets the next boot entry and initiates a reboot? This can be loaded by grub with the next boot device as parameter, which can be dynamically set on grub config generation. Or even as a BLS en

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Chris Murphy
On Fri, Jul 29, 2022, at 5:25 AM, Lennart Poettering wrote: > On Fr, 29.07.22 00:21, Peter Boy (p...@uni-bremen.de) wrote: > >> > One is not really supposed to have multiple ESPs >> >> I have another question regarding multiple ESPs, maybe a bit >> off-topic. For software raid we currently have a

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Chris Murphy
On Fri, Jul 29, 2022, at 4:38 AM, Kamil Paral wrote: >> - Documentation: GRUB's Windows boot option may not work, how to use >> efibootmgr --bootnext and --bootorder > > Currently there is this (insufficient, of course): > https://ask.fedoraproject.org/t/windows-with-encrypted-disks-bitlocker-c

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Daniel P . Berrangé
On Fri, Jul 29, 2022 at 01:52:28PM +0200, Florian Weimer wrote: > * Daniel P. Berrangé: > > >> Unfortunately, Fedora promoted this broken model with pervasive > >> cross-distribution/cross-OS trust as well. People are generally quick > >> to criticize those who control a PKI, but very few organiz

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Florian Weimer
* Daniel P. Berrangé: >> Unfortunately, Fedora promoted this broken model with pervasive >> cross-distribution/cross-OS trust as well. People are generally quick >> to criticize those who control a PKI, but very few organizations are >> willing to step up to hold the key material for the key of l

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Vitaly Zaitsev via devel
On 29/07/2022 11:55, Daniel P. Berrangé wrote: This doesn't mean that everything is suddenly going to be 'Secure-cored" and thus prevent use of shim out of the box. They will begin enforcing this "Secure-cored" policy very soon. An open question is just how widely the OEM hardware vendors wil

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Daniel P . Berrangé
On Fri, Jul 29, 2022 at 11:26:15AM +0200, Florian Weimer wrote: > * Vitaly Zaitsev via devel: > > > On 26/07/2022 20:05, Chris Murphy wrote: > >> Summary: Windows 10/11 increasingly enables Bitlocker (full disk > >> encryption) out of the box with the encryption key sealed in the TPM. Two > >> d

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Daniel P . Berrangé
On Thu, Jul 28, 2022 at 07:47:15PM +0200, Vitaly Zaitsev via devel wrote: > On 26/07/2022 20:05, Chris Murphy wrote: > > Summary: Windows 10/11 increasingly enables Bitlocker (full disk > > encryption) out of the box with the encryption key sealed in the TPM. Two > > different issues result: > >

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Florian Weimer
* Vitaly Zaitsev via devel: > On 26/07/2022 20:05, Chris Murphy wrote: >> Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) >> out of the box with the encryption key sealed in the TPM. Two different >> issues result: > > Microsoft has published a new security bulletin

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Lennart Poettering
On Fr, 29.07.22 00:21, Peter Boy (p...@uni-bremen.de) wrote: > > One is not really supposed to have multiple ESPs > > I have another question regarding multiple ESPs, maybe a bit > off-topic. For software raid we currently have a kind of „off-label > use“. Anaconda puts the ESP on a raid partition

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Kamil Paral
On Thu, Jul 28, 2022 at 6:52 PM Chris Murphy wrote: > Short term approaches: > > - Documentation: GRUB's Windows boot option may not work, how to use > efibootmgr --bootnext and --bootorder > Currently there is this (insufficient, of course): https://ask.fedoraproject.org/t/windows-with-encrypte

Re: future of dual booting Windows and Fedora, redux

2022-07-29 Thread Barry
> On 29 Jul 2022, at 06:53, Nico Kadel-Garcia wrote: > > On Tue, Jul 26, 2022 at 4:07 PM Kevin Kofler via devel > wrote: >> >> Chris Murphy wrote: >>> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, >>> so that instead of chainloading the Windows bootloader from GR

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Nico Kadel-Garcia
On Tue, Jul 26, 2022 at 9:16 PM Kevin Kofler via devel wrote: > > Chris Murphy wrote: > > Summary: Windows 10/11 increasingly enables Bitlocker (full disk > > encryption) out of the box with the encryption key sealed in the TPM. > […] > > The Bitlocker encryption key is unsealed only if the boot c

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Nico Kadel-Garcia
On Tue, Jul 26, 2022 at 4:07 PM Kevin Kofler via devel wrote: > > Chris Murphy wrote: > > a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, > > so that instead of chainloading the Windows bootloader from GRUB, GRUB > > will modify the system NVRAM such that the next boot (

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Peter Boy
> Am 28.07.2022 um 22:17 schrieb Lennart Poettering : > > One is not really supposed to have multiple ESPs I have another question regarding multiple ESPs, maybe a bit off-topic. For software raid we currently have a kind of „off-label use“. Anaconda puts the ESP on a raid partition (and the

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Gregory Bartholomew
On Thu, Jul 28, 2022 at 3:17 PM Lennart Poettering wrote: > On Do, 28.07.22 15:03, Chris Murphy (li...@colorremedies.com) wrote: > > > > Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR > so that the firmware will pick it up properly. The only problem is when > using the bootc

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Lennart Poettering
On Do, 28.07.22 15:03, Chris Murphy (li...@colorremedies.com) wrote: > > Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR so > > that the firmware will pick it up properly. The only problem is when using > > the bootctl command to initialize that partition (/boot), it require

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Lennart Poettering
On Do, 28.07.22 13:05, Gregory Bartholomew (gregory.lee.bartholo...@gmail.com) wrote: > VFAT-formatted version of the partition somewhere and perhaps leave the old > one as a (temporary) failback. Besides the bootloader itself, all that is > really on the /boot partition is the kernel and initram

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Chris Murphy
On Thu, Jul 28, 2022, at 2:47 PM, Gregory Bartholomew wrote: > On Thu, Jul 28, 2022 at 1:34 PM Chris Murphy wrote: >> Seems to me the only valid type code for a merged ESP+XBOOTLDR is ESP. What >> am I missing? > > Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR so that >

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Gregory Bartholomew
On Thu, Jul 28, 2022 at 1:34 PM Chris Murphy wrote: > Seems to me the only valid type code for a merged ESP+XBOOTLDR is ESP. > What am I missing? > Right. I'd like to use the ESP type code for the merged ESP+XBOOTLDR so that the firmware will pick it up properly. The only problem is when using t

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Chris Murphy
On Thu, Jul 28, 2022, at 2:05 PM, Gregory Bartholomew wrote: > > Also, this might be a little off-topic, but I've recommend that people use > systemd-boot when trying to dual-boot Windows before: > https://ask.fedoraproject.org/t/dual-booting-windows-10-and-fedora-34/14158/2 > The user repor

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Gregory Bartholomew
On Thu, Jul 28, 2022 at 10:40 AM Lennart Poettering wrote: > ... > > But anyway, I am actually advocating for sticking to VFAT > everywhere. ext4 drivers in the boot loader only are necessary for the > upgrade path. > > I'd like to 2nd the motion to try to stick with VFAT in the boot path until r

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Vitaly Zaitsev via devel
On 26/07/2022 20:05, Chris Murphy wrote: Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) out of the box with the encryption key sealed in the TPM. Two different issues result: Microsoft has published a new security bulletin on the current state of Secure Boot: h

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Chris Murphy
OK. Happy day, we have maybe come full circle. Here's my attempt at a summary: * systemd-boot should be evaluated for Secure Boot signing, so that it can be a viable and testable alternative bootloader to GRUB. Maybe this opens the door to changing the default bootloader in Fedora down the road

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Lennart Poettering
On Do, 28.07.22 10:25, Chris Adams (li...@cmadams.net) wrote: > Once upon a time, Lennart Poettering said: > > Given the overlap of the Fedora/RH boot loader folks and the shim > > folks, I think there's definitely an avenue to get systemd-boot signed > > as payload for SHIM, as alternative to Gr

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Lennart Poettering
On Do, 28.07.22 16:54, Petr Pisar (ppi...@redhat.com) wrote: > > This sounds pretty awesome, actually. I'd like to see that get > > implemented... > > > Unfortunatelly (complex) file system drivers are not written with safety > on mind. They rather prefer performance over security. If somebody si

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Chris Adams
Once upon a time, Lennart Poettering said: > Given the overlap of the Fedora/RH boot loader folks and the shim > folks, I think there's definitely an avenue to get systemd-boot signed > as payload for SHIM, as alternative to Grub. If Fedora wants this, and > has the man power for it, it should be

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Christian Brauner
Sorry for showing up here unannounced. This is a very strange claim. I'm not speaking in any official capacity but at least __personally__ being at the Linux Systems Group at MSFT I've never have encountered any hard requirement on grub. In any case, I want to point out a few things: * Some of t

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Petr Pisar
V Thu, Jul 28, 2022 at 06:31:55AM -0700, Neal Gompa napsal(a): > On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering > wrote: > > > > On Mi, 27.07.22 16:50, Chris Murphy (li...@colorremedies.com) wrote: > > > > > > I prefer no shim in my computers. I'm using systemd-boot signed by my > > > > own C

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Neal Gompa
On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering wrote: > > On Mi, 27.07.22 16:50, Chris Murphy (li...@colorremedies.com) wrote: > > > > I prefer no shim in my computers. I'm using systemd-boot signed by my > > > own CA. > > > > That is not a generic solution we can ship in Fedora. Since each >

Re: future of dual booting Windows and Fedora, redux

2022-07-28 Thread Lennart Poettering
On Di, 26.07.22 13:37, Neal Gompa (ngomp...@gmail.com) wrote: > > > As I already mentioned the last time this has come up: Why can we not, > > > instead of chainloading Windows directly, chainload a systemd-boot > > > configured to always bootnext to Windows? > > > > Pretty sure shim still hard co

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-28 Thread Chris Adams
Once upon a time, Vojtech Trefny said: > This is also what happens if you choose to "decrypt" your BitLocker > volume in Windows so if it is this case, cryptsetup doesn't support > it. We intentionally ignored this case mostly because it looked like a > small corner case (if you choose do decrypt

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-28 Thread Chris Murphy
On Thu, Jul 28, 2022, at 2:11 AM, Vojtech Trefny wrote: > On Wed, Jul 27, 2022 at 5:53 PM Chris Murphy wrote: >> >> >> >> On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote: >> > Once upon a time, Neal Gompa said: >> >> My understanding is that Windows preloads are now blank-encrypted. >> >>

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Vojtech Trefny
On Wed, Jul 27, 2022 at 5:53 PM Chris Murphy wrote: > > > > On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote: > > Once upon a time, Neal Gompa said: > >> My understanding is that Windows preloads are now blank-encrypted. > >> That is, there's a BitLocker volume wrapping the filesystem, even w

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 9:46 PM, Stephen Smoogen wrote: > > > On Wed, Jul 27, 2022 at 17:37 Chris Murphy wrote: >> >> >> On Wed, Jul 27, 2022, at 5:07 PM, Lennart Poettering wrote: >> > On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote: >> > 65;6800;1c >> >> >> If the add

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Lennart Poettering
On Mi, 27.07.22 17:35, Chris Murphy (li...@colorremedies.com) wrote: > >> If the additional barrier to adoption that Fedora imposes is that > >> every distro needs to also include signed efifs ext4 in order to > >> read $BOOT, I think it's too much. > > > > I do not follow that logic. First of all

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Lennart Poettering
On Mi, 27.07.22 17:15, Chris Murphy (li...@colorremedies.com) wrote: > > > On Wed, Jul 27, 2022, at 4:47 PM, Lennart Poettering wrote: > > On Mi, 27.07.22 16:19, Chris Murphy (li...@colorremedies.com) wrote: > > > >> >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or > >> >

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Stephen Smoogen
On Wed, Jul 27, 2022 at 17:37 Chris Murphy wrote: > > > On Wed, Jul 27, 2022, at 5:07 PM, Lennart Poettering wrote: > > On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote: > > 65;6800;1c > > >> If the additional barrier to adoption that Fedora imposes is that > >> every distro ne

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Demi Marie Obenour
On 7/26/22 21:56, Chris Murphy wrote: > > > On Tue, Jul 26, 2022, at 7:18 PM, Chris Adams wrote: >> Once upon a time, Chris Murphy said: >>> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, >>> so that instead of chainloading the Windows bootloader from GRUB, GRUB will

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 5:07 PM, Lennart Poettering wrote: > On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote: > 65;6800;1c >> If the additional barrier to adoption that Fedora imposes is that >> every distro needs to also include signed efifs ext4 in order to >> read $BOOT,

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Javier Martinez Canillas
On Wed, Jul 27, 2022 at 10:31 PM Lennart Poettering wrote: > [...] > > The lack of an upgrade path, I think, is a bigger issue than a > > system-wide change proposal to: switch to systemd-boot on UEFI, > > including FAT /boot partition, for new clean installs. > > I don't think the upgrade path

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 4:47 PM, Lennart Poettering wrote: > On Mi, 27.07.22 16:19, Chris Murphy (li...@colorremedies.com) wrote: > >> >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or >> >> Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be >> >>

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Lennart Poettering
On Mi, 27.07.22 17:01, Chris Murphy (li...@colorremedies.com) wrote: 65;6800;1c > > > On Wed, Jul 27, 2022, at 4:30 PM, Lennart Poettering wrote: > > > So, let's say you want to make sd-boot be able to access a legacy ext4 > > /boot/ fs. First, fix the GPT partition type of that /boot/ partition >

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Lennart Poettering
On Mi, 27.07.22 16:50, Chris Murphy (li...@colorremedies.com) wrote: > > I prefer no shim in my computers. I'm using systemd-boot signed by my > > own CA. > > That is not a generic solution we can ship in Fedora. Since each > distro ships their own shim, they'd each have to ship their own > signed

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 4:30 PM, Lennart Poettering wrote: > So, let's say you want to make sd-boot be able to access a legacy ext4 > /boot/ fs. First, fix the GPT partition type of that /boot/ partition > to be the XBOOTLDR one (so that sd-boot can recognize it; currently > fedora for some rea

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 4:27 PM, Vitaly Zaitsev via devel wrote: > On 27/07/2022 22:19, Chris Murphy wrote: >> * $BOOT is supposed to be readable by all distros that share $BOOT > > It will. efifs will be installed to ESP partition. > >> * efifs drivers must be signed in order to be loaded on UE

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Lennart Poettering
On Mi, 27.07.22 16:19, Chris Murphy (li...@colorremedies.com) wrote: > >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or > >> Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be > >> FAT in order to fulfill the interoperability intent of the spec, bec

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Lennart Poettering
On Mi, 27.07.22 10:13, Chris Murphy (li...@colorremedies.com) wrote: > > Since you say systemd-boot can already do what we want in this regard: > > > > e. Replace grub for EFI systems with systemd-boot ? > > I wish it were possible. I'm pretty sure the Red Hat bootloader team > has no time or in

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Vitaly Zaitsev via devel
On 27/07/2022 22:19, Chris Murphy wrote: * $BOOT is supposed to be readable by all distros that share $BOOT It will. efifs will be installed to ESP partition. * efifs drivers must be signed in order to be loaded on UEFI Secure Boot enabled systems True. But I think Fedora can sign drivers

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 2:36 PM, Vitaly Zaitsev via devel wrote: > On 27/07/2022 18:53, Chris Murphy wrote: >> Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or >> Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be FAT >> in order to fulfill the inter

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Vitaly Zaitsev via devel
On 27/07/2022 18:53, Chris Murphy wrote: Boot Loader Spec defines $BOOT as either EFI System partition (ESP) or Extended Boot Loader Partition (XBOOTLDR), and in effect they need to be FAT in order to fulfill the interoperability intent of the spec, because it is a shared $BOOT across all dist

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 1:17 PM, Milan Broz wrote: > On 27/07/2022 17:52, Chris Murphy wrote: >> On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote: >>> Once upon a time, Neal Gompa said: My understanding is that Windows preloads are now blank-encrypted. That is, there's a BitLocker

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Milan Broz
On 27/07/2022 17:52, Chris Murphy wrote: On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote: Once upon a time, Neal Gompa said: My understanding is that Windows preloads are now blank-encrypted. That is, there's a BitLocker volume wrapping the filesystem, even with encryption turned off. It

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 12:11 PM, Daniel P. Berrangé wrote: > On Wed, Jul 27, 2022 at 10:13:57AM -0400, Chris Murphy wrote: >> >> >> On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote: >> > >> > Since you say systemd-boot can already do what we want in this regard: >> > >> > e. Replace

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Daniel P . Berrangé
On Wed, Jul 27, 2022 at 10:13:57AM -0400, Chris Murphy wrote: > > > On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote: > > > > Since you say systemd-boot can already do what we want in this regard: > > > > e. Replace grub for EFI systems with systemd-boot ? > > I wish it were possible

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 11:11 AM, Chris Adams wrote: > Once upon a time, Neal Gompa said: >> My understanding is that Windows preloads are now blank-encrypted. >> That is, there's a BitLocker volume wrapping the filesystem, even with >> encryption turned off. It makes encrypting the disk later

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Chris Adams
Once upon a time, Neal Gompa said: > My understanding is that Windows preloads are now blank-encrypted. > That is, there's a BitLocker volume wrapping the filesystem, even with > encryption turned off. It makes encrypting the disk later > significantly easier (it doesn't have to do filesystem resi

Re: BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Neal Gompa
On Wed, Jul 27, 2022 at 7:15 AM Chris Adams wrote: > > Once upon a time, Chris Murphy said: > > This is a good point to underscore. The user experience following a Fedora > > installation when Bitlocker is enabled, is the appearance of Windows being > > broken or inaccessible. We are probably b

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Gary Buhrmaster
On Wed, Jul 27, 2022 at 12:12 PM Vitaly Zaitsev via devel wrote: > > On 26/07/2022 20:05, Chris Murphy wrote: > > Thoughts? > > e. Switch from GRUB 2 to systemd-boot for the UEFI installations. Making it easier to choose to install systemd-boot rather than grub (including signing systemd-boot) at

BitLocker (was Re: future of dual booting Windows and Fedora, redux)

2022-07-27 Thread Chris Adams
Once upon a time, Chris Murphy said: > This is a good point to underscore. The user experience following a Fedora > installation when Bitlocker is enabled, is the appearance of Windows being > broken or inaccessible. We are probably better off asking Anaconda to refuse > to install when Bitlock

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote: > > Since you say systemd-boot can already do what we want in this regard: > > e. Replace grub for EFI systems with systemd-boot ? I wish it were possible. I'm pretty sure the Red Hat bootloader team has no time or interest in it. An

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Chris Murphy
On Wed, Jul 27, 2022, at 5:55 AM, Kamil Paral wrote: > > I've been to numerous events where we helped students install Fedora into > dual boot. One of the top 5 questions afterwards (maybe even #1) is "how do I > make it boot Windows by default?". In the old days, that consisted of editing >

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Vitaly Zaitsev via devel
On 26/07/2022 20:05, Chris Murphy wrote: Thoughts? e. Switch from GRUB 2 to systemd-boot for the UEFI installations. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Kamil Paral
On Tue, Jul 26, 2022 at 8:06 PM Chris Murphy wrote: > a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, > so that instead of chainloading the Windows bootloader from GRUB, GRUB will > modify the system NVRAM such that the next boot (only) will directly boot > the Windows

Re: future of dual booting Windows and Fedora, redux

2022-07-27 Thread Daniel P . Berrangé
On Tue, Jul 26, 2022 at 02:05:24PM -0400, Chris Murphy wrote: > Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) > out of the box with the encryption key sealed in the TPM. Two different > issues result: > > 1. Fedora's installer, Anaconda, can't resize Bitlocker volu

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Tomasz Torcz
On Wed, Jul 27, 2022 at 05:07:39AM +0200, Kevin Kofler via devel wrote: > Chris Murphy wrote: > > cryptsetup does have Bitlocker support, so long as you have the recovery > > key you can unlock and get access to your data, I've tested this. > > But you need a recovery key to begin with, because th

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Kevin Kofler via devel
Chris Murphy wrote: > cryptsetup does have Bitlocker support, so long as you have the recovery > key you can unlock and get access to your data, I've tested this. But you need a recovery key to begin with, because the main key is sealed in the TPM and not visible from anything other than Windows.

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Luya Tshimbalanga
Could someone sign systemd-boot please? That EFI boot seems simple to use and very minimal especially for both x64 arch based desktop and laptop. On 2022-07-26 16:14, Chris Murphy wrote: On Tue, Jul 26, 2022, at 4:42 PM, Kevin Kofler via devel wrote: Chris Murphy wrote: On Tue, Jul 26, 2022,

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Murphy
On Tue, Jul 26, 2022, at 7:18 PM, Chris Adams wrote: > Once upon a time, Chris Murphy said: >> a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, >> so that instead of chainloading the Windows bootloader from GRUB, GRUB will >> modify the system NVRAM such that the next

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Murphy
On Tue, Jul 26, 2022, at 9:15 PM, Kevin Kofler via devel wrote: > Chris Murphy wrote: >> Summary: Windows 10/11 increasingly enables Bitlocker (full disk >> encryption) out of the box with the encryption key sealed in the TPM. > […] >> The Bitlocker encryption key is unsealed only if the boot cha

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Kevin Kofler via devel
Chris Murphy wrote: > Summary: Windows 10/11 increasingly enables Bitlocker (full disk > encryption) out of the box with the encryption key sealed in the TPM. […] > The Bitlocker encryption key is unsealed only if the boot chain > measurement by the TPM matches the expected values in a TPM PCR. So

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Kevin Kofler via devel
Chris Murphy wrote: > It's a Rube Goldberg machine way of doing this. Isn't that the Unix Way? Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code o

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Murphy
On Tue, Jul 26, 2022, at 4:59 PM, Neal Gompa wrote: > On Tue, Jul 26, 2022 at 1:43 PM Kevin Kofler via devel > wrote: >> >> Chris Murphy wrote: >> > On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote: >> >> As I already mentioned the last time this has come up: Why can we not, >> >>

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Adams
Once upon a time, Chris Murphy said: > a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, so > that instead of chainloading the Windows bootloader from GRUB, GRUB will > modify the system NVRAM such that the next boot (only) will directly boot the > Windows bootloader. T

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Murphy
On Tue, Jul 26, 2022, at 4:42 PM, Kevin Kofler via devel wrote: > Chris Murphy wrote: >> On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote: >>> As I already mentioned the last time this has come up: Why can we not, >>> instead of chainloading Windows directly, chainload a systemd-boo

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Neal Gompa
On Tue, Jul 26, 2022 at 1:43 PM Kevin Kofler via devel wrote: > > Chris Murphy wrote: > > On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote: > >> As I already mentioned the last time this has come up: Why can we not, > >> instead of chainloading Windows directly, chainload a systemd-b

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Kevin Kofler via devel
Chris Murphy wrote: > On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote: >> As I already mentioned the last time this has come up: Why can we not, >> instead of chainloading Windows directly, chainload a systemd-boot >> configured to always bootnext to Windows? > > Pretty sure shim st

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Neal Gompa
On Tue, Jul 26, 2022 at 1:12 PM Chris Murphy wrote: > > > > On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote: > > > As I already mentioned the last time this has come up: Why can we not, > > instead of chainloading Windows directly, chainload a systemd-boot > > configured to always b

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Murphy
On Tue, Jul 26, 2022, at 4:06 PM, Kevin Kofler via devel wrote: > As I already mentioned the last time this has come up: Why can we not, > instead of chainloading Windows directly, chainload a systemd-boot > configured to always bootnext to Windows? Pretty sure shim still hard codes the name

Re: future of dual booting Windows and Fedora, redux

2022-07-26 Thread Kevin Kofler via devel
Chris Murphy wrote: > a. Fix GRUB by giving it the ability to modify UEFI NRAM "bootnext" value, > so that instead of chainloading the Windows bootloader from GRUB, GRUB > will modify the system NVRAM such that the next boot (only) will directly > boot the Windows bootloader. Thus far there's no in

future of dual booting Windows and Fedora, redux

2022-07-26 Thread Chris Murphy
Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) out of the box with the encryption key sealed in the TPM. Two different issues result: 1. Fedora's installer, Anaconda, can't resize Bitlocker volumes. We could use better documentation to help the user perform the vol