Monday, August 1, 2011

Dual-boot woes

Ever since we converted Windows 7 to use BitLocker for disk encryption, I've had nothing but problems. A few weeks later, I received a Linux kernel update, and I think that's when everything broke for Windows. Whenever I want to boot Windows, I am prompted to type in a very long BitLocker recovery key. It's tedious to type in every time I boot Windows, but that's what I have to do.

My laptop is dual-boot with Windows 7 and Linux. It's a fairly straightforward setup (with only a few twists to support Dell's "Instant ON" mode, which turned out to be useless because I don't use Exchange.) My drive has several partitions: a "Dell Utility" partition, Windows 7, a Dell "Instant ON" partition, and Linux. I rarely boot into Windows these days - but when I do, it's usually to attend a conference call that requires Silverlight. I never boot the "Dell Utility", or the "Instant ON".

I've tried the trick of telling BitLocker to accept the new system configuration. This doesn't fix my problem. I'm still prompted to type in the key to boot Windows.

I've also tried booting into Windows, suspending BitLocker, then re-enabling BitLocker. This also doesn't work. I can suspend/re-enable just fine, but it doesn't solve my problem.

Oddly, TPM keeps disabling itself, I don't know why. Is this part of normal TPM behavior when it detects a change in the configuration? Or is this a hardware fault on my laptop?

Frustrated, I did some research, and found lots of (albeit old) sources that discuss troubles in dual-boot with Windows/BitLocker and Linux. The description that makes the most sense to me is from this article on technet.com: Building a dual boot system with Windows Vista BitLocker protection with TPM support, by Cyril ("Voy") Voisin. In it, Voy says:
[...] Therefore if you replace Windows Vista’s MBR by a MBR that is not TPM aware, it won’t hash the boot sector before executing it and a register in the TPM won’t be populated. Same with the boot sector. Therefore Bitlocker will simply refuse to be enabled.
Since I put GRUB on my MBR, I understand this to mean that a register within TPM isn't getting set correctly, which may explain why I always need to type in that key to boot Windows.

The article then details the steps to set up a dual-boot system that uses Windows/BitLocker. In short:
  1. Install Linux first.
  2. Install GRUB on the Linux partition (not the MBR)
  3. Save a copy of the Linux boot sector.
  4. Create partitions for Windows.
  5. Install Windows.
  6. Configure the Windows Boot Manager to also boot Linux.
  7. Enable TPM.
  8. Enable BitLocker.
That's a lot of "hack" to get a dual-boot system. The rational part of me understands that TPM isn't just to encrypt data, it's meant to prevent "unauthorized" software from running on the system. And from the TPM view, my Linux install is (technically) "unauthorized" because TPM doesn't know about it.

I get it.

But at the same time, I can't help but think this is some elaborate conspiracy to prevent Linux dual-boot systems. It's as though the only way I can run Linux on this system - and keep Windows/BitLocker running happily - is to boot Linux from some other media. I tell you, I'm this close to going back to running Linux from a USB flash drive. I used to do that all the time, and it was still very fast. Software updates were a little slow, but everything else was speedy.

I don't know. Maybe I'll do that, just buy another USB flash drive to run Linux, and cede the hard drive to Windows/BitLocker. Erase the Linux partitions, and put a Windows MBR back on the disk. If nothing else, it might rule out a problem with TPM, if TPM keeps disabling itself even when Windows/BitLocker "owns" the whole hard drive.

What do you think? Other suggestions or solutions? If I can find another way to dual-boot Linux and Windows/BitLocker, I'll give it a go.

7 comments:

  1. So I don't know anything about bitlocker, so I'm basing my answer off of the assumption that the MBR description is correct (which seems likely). You can reinstall the Windows bootloader to the MBR without a full reinstall.

    Try the instructions here. Try the instructions at the end ("Fix MBR (Operating system found/logged on)") before those up top I guess -- they don't require the install DVD. I didn't know that was there actually. Give this page a skim first too.

    I of course recommend backing up important stuff just in case it renders your system unbootable blah blah blah. (Standard disclaimer; I don't have any reason to believe that process is more likely to mess stuff up than anything else that messes with important stuff like your boot sector, just better to be safe than sorry.)

    The rational part of me understands that TPM isn't just to encrypt data, it's meant to prevent "unauthorized" software from running on the system.

    That's only somewhat true... it's not really to prevent, say, Linux from booting at all. Rather, it is to provide an attestation to Windows that -- when it boots -- what it is booting hasn't been messed with. Grub breaks this chain of attestation, because it has come into play at a layer "beneath" the Windows bootloader, and so the TPM can not attest to the entire chain.

    At least that's my understanding.

    ReplyDelete
  2. you could try using boot.ini from windows instead of grub. Maybe then it would understand it has to dual boot. Be careful though :-)

    ReplyDelete
  3. Even when not running BitLocker, it's safer to dual-boot via ntldr. Now with the newer 250GB+ disk drives things are about to go oh so screwy yet again. (U)EFI is expected to replace the ancient kludgy BIOS and the HDs will now be addressed via the GPT rather than the MBR ... oh dear. Expect tech support lines to go wild as the UEFI computers are introduced. There will also be serious issues with people who want to install older systems and tools which cannot handle the GPT. 32-bit systems will also struggle and we can finally consign WinXP to the dead past. Even business users who would rather keep the old software but get newer machines will have to look at other solutions (32 bit virtual machine under a 64 bit system?). Great fun coming up.

    ReplyDelete
  4. Try just putting the GRUB on a flash drive, and boot into the linux system installed on the hard drive. As long as your system will boot the (removable) GRUB media first, just remove it and windows boots.

    ReplyDelete
  5. I really like that last option, installing GRUB on a flash drive. It's simple, and I happen to still have a 32Mb (yes, Megabyte) USB flash drive that's currently unused. I'll give that a try.

    ReplyDelete
  6. This is a situation I have just found myself faced with. I will give a few more days or trying, but it it realy comes down to it, then bye bye Windows7 and I promise to NEVER EVER boot a windows machine EVER again!
    Dr J Robinson

    ReplyDelete
  7. I am using a HP laptop, beyond my expectations of Windows 7, suspending bitlocker, restarting the laptop, booting into Centos6, yum update, reboot, seclect windows and into windows..restarted bitlocker as suggested by windows..rebooted and it worked. I wonder if this is related to hardware.
    Dr J Robinson

    ReplyDelete

Note: Only a member of this blog may post a comment.

Followers