diff --git a/NEWS b/NEWS index 248cc0fdb4..df729dc769 100644 --- a/NEWS +++ b/NEWS @@ -52,6 +52,17 @@ CHANGES WITH 251: or ID field of /etc/os-release or another suitable identifier before deploying the image. + * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in + loader.conf that implements booting Microsoft Windows from the + sd-boot in a way that first reboots the system, to reset the TPM + PCRs. This improves compatibility with BitLocker's TPM use, as the + PCRs will only record the Windows boot process, and not sd-boot + itself, thus retaining the PCR measurements not involving + sd-boot. Note that this feature is experimental for now, and is + likely going to be generalized, renamed and removed in its current + form in a future release, without retaining compatibility with its + current implementation. + * The --make-machine-id-directory= switch to bootctl has been replaced by --make-entry-directory=, given that the entry directory is not necessarily named after the machine ID, but after some other suitable diff --git a/man/loader.conf.xml b/man/loader.conf.xml index caff44aa1e..e5453c7dcd 100644 --- a/man/loader.conf.xml +++ b/man/loader.conf.xml @@ -206,8 +206,11 @@ reboot-for-bitlocker - Work around BitLocker requiring a recovery key when the boot loader was - updated (enabled by default). + Caveat: This feature is experimental, and is likely to be changed (or removed in its + current form) in a future version of systemd. + + Work around BitLocker requiring a recovery key when the boot loader was + updated (disabled by default). Try to detect BitLocker encrypted drives along with an active TPM. If both are found and Windows Boot Manager is selected in the boot menu, set the BootNext diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c index f6706c68fc..82954ddac1 100644 --- a/src/boot/efi/boot.c +++ b/src/boot/efi/boot.c @@ -1549,7 +1549,7 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) { .editor = TRUE, .auto_entries = TRUE, .auto_firmware = TRUE, - .reboot_for_bitlocker = TRUE, + .reboot_for_bitlocker = FALSE, .random_seed_mode = RANDOM_SEED_WITH_SYSTEM_TOKEN, .idx_default_efivar = IDX_INVALID, .console_mode = CONSOLE_MODE_KEEP, @@ -1983,6 +1983,9 @@ static EFI_STATUS boot_windows_bitlocker(void) { UINTN n_handles; EFI_STATUS err; + // FIXME: Experimental for now. Should be generalized, and become a per-entry option that can be + // enabled independently of BitLocker, and without a BootXXXX entry pre-existing. + /* BitLocker key cannot be sealed without a TPM present. */ if (!tpm_present()) return EFI_NOT_FOUND;