sd-boot: disable bitlocker reboot feature for now

Conceptually the feature is great and should exist, but in its current form should be worked to be generic (i.e. not specific to Windows/Bitlocker, but appliable to any boot entry), not be global (but be a per-entry thing), not require a BootXXXX entry to exist, and not check for the BitLocker signature (as TPMs are not just used for BitLocker). Since we want to get 251 released, mark it in the documentation, in NEWS and in code as experimental and make clear it will be reworked in a future release. Also, make it opt-in to make it less likely people come to rely on it without reading up on it, and understanding that it will likely change sooner or later. Follow-up for: #22043 See: #22390
2024-07-23 19:25:39 +00:00 · 2022-03-16 12:01:37 +01:00 · 2022-03-16 12:01:37 +01:00 · deb5c820ca
parent c2c7eea1e9
commit deb5c820ca
3 changed files with 20 additions and 3 deletions
--- a/11
+++ b/11
@ -52,6 +52,17 @@ CHANGES WITH 251:
          or ID field of /etc/os-release or another suitable identifier before
          deploying the image.

+        * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
+          loader.conf that implements booting Microsoft Windows from the
+          sd-boot in a way that first reboots the system, to reset the TPM
+          PCRs. This improves compatibility with BitLocker's TPM use, as the
+          PCRs will only record the Windows boot process, and not sd-boot
+          itself, thus retaining the PCR measurements not involving
+          sd-boot. Note that this feature is experimental for now, and is
+          likely going to be generalized, renamed and removed in its current
+          form in a future release, without retaining compatibility with its
+          current implementation.
+
        * The --make-machine-id-directory= switch to bootctl has been replaced
          by --make-entry-directory=, given that the entry directory is not
          necessarily named after the machine ID, but after some other suitable
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@ -206,8 +206,11 @@
      <varlistentry>
        <term>reboot-for-bitlocker</term>

-        <listitem><para>Work around BitLocker requiring a recovery key when the boot loader was
-        updated (enabled by default).</para>
+        <listitem><para>Caveat: This feature is experimental, and is likely to be changed (or removed in its
+        current form) in a future version of systemd.</para>
+
+        <para>Work around BitLocker requiring a recovery key when the boot loader was
+        updated (disabled by default).</para>

        <para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found
        and Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal>
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@ -1549,7 +1549,7 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
                .editor = TRUE,
                .auto_entries = TRUE,
                .auto_firmware = TRUE,
-                .reboot_for_bitlocker = TRUE,
+                .reboot_for_bitlocker = FALSE,
                .random_seed_mode = RANDOM_SEED_WITH_SYSTEM_TOKEN,
                .idx_default_efivar = IDX_INVALID,
                .console_mode = CONSOLE_MODE_KEEP,
@ -1983,6 +1983,9 @@ static EFI_STATUS boot_windows_bitlocker(void) {
        UINTN n_handles;
        EFI_STATUS err;

+        // FIXME: Experimental for now. Should be generalized, and become a per-entry option that can be
+        // enabled independently of BitLocker, and without a BootXXXX entry pre-existing.
+
        /* BitLocker key cannot be sealed without a TPM present. */
        if (!tpm_present())
                return EFI_NOT_FOUND;