Monday, August 1, 2011

Dual-boot woes

Ever since we converted Windows 7 to use BitLocker for disk encryption, I've had nothing but problems. A few weeks later, I received a Linux kernel update, and I think that's when everything broke for Windows. Whenever I want to boot Windows, I am prompted to type in a very long BitLocker recovery key. It's tedious to type in every time I boot Windows, but that's what I have to do.

My laptop is dual-boot with Windows 7 and Linux. It's a fairly straightforward setup (with only a few twists to support Dell's "Instant ON" mode, which turned out to be useless because I don't use Exchange.) My drive has several partitions: a "Dell Utility" partition, Windows 7, a Dell "Instant ON" partition, and Linux. I rarely boot into Windows these days - but when I do, it's usually to attend a conference call that requires Silverlight. I never boot the "Dell Utility", or the "Instant ON".

I've tried the trick of telling BitLocker to accept the new system configuration. This doesn't fix my problem. I'm still prompted to type in the key to boot Windows.

I've also tried booting into Windows, suspending BitLocker, then re-enabling BitLocker. This also doesn't work. I can suspend/re-enable just fine, but it doesn't solve my problem.

Oddly, TPM keeps disabling itself, I don't know why. Is this part of normal TPM behavior when it detects a change in the configuration? Or is this a hardware fault on my laptop?

Frustrated, I did some research, and found lots of (albeit old) sources that discuss troubles in dual-boot with Windows/BitLocker and Linux. The description that makes the most sense to me is from this article on technet.com: Building a dual boot system with Windows Vista BitLocker protection with TPM support, by Cyril ("Voy") Voisin. In it, Voy says:
[...] Therefore if you replace Windows Vista’s MBR by a MBR that is not TPM aware, it won’t hash the boot sector before executing it and a register in the TPM won’t be populated. Same with the boot sector. Therefore Bitlocker will simply refuse to be enabled.
Since I put GRUB on my MBR, I understand this to mean that a register within TPM isn't getting set correctly, which may explain why I always need to type in that key to boot Windows.

The article then details the steps to set up a dual-boot system that uses Windows/BitLocker. In short:
  1. Install Linux first.
  2. Install GRUB on the Linux partition (not the MBR)
  3. Save a copy of the Linux boot sector.
  4. Create partitions for Windows.
  5. Install Windows.
  6. Configure the Windows Boot Manager to also boot Linux.
  7. Enable TPM.
  8. Enable BitLocker.
That's a lot of "hack" to get a dual-boot system. The rational part of me understands that TPM isn't just to encrypt data, it's meant to prevent "unauthorized" software from running on the system. And from the TPM view, my Linux install is (technically) "unauthorized" because TPM doesn't know about it.

I get it.

But at the same time, I can't help but think this is some elaborate conspiracy to prevent Linux dual-boot systems. It's as though the only way I can run Linux on this system - and keep Windows/BitLocker running happily - is to boot Linux from some other media. I tell you, I'm this close to going back to running Linux from a USB flash drive. I used to do that all the time, and it was still very fast. Software updates were a little slow, but everything else was speedy.

I don't know. Maybe I'll do that, just buy another USB flash drive to run Linux, and cede the hard drive to Windows/BitLocker. Erase the Linux partitions, and put a Windows MBR back on the disk. If nothing else, it might rule out a problem with TPM, if TPM keeps disabling itself even when Windows/BitLocker "owns" the whole hard drive.

What do you think? Other suggestions or solutions? If I can find another way to dual-boot Linux and Windows/BitLocker, I'll give it a go.

Followers