mirror of
https://github.com/systemd/systemd
synced 2024-07-23 19:25:39 +00:00
sd-boot: disable bitlocker reboot feature for now
Conceptually the feature is great and should exist, but in its current form should be worked to be generic (i.e. not specific to Windows/Bitlocker, but appliable to any boot entry), not be global (but be a per-entry thing), not require a BootXXXX entry to exist, and not check for the BitLocker signature (as TPMs are not just used for BitLocker). Since we want to get 251 released, mark it in the documentation, in NEWS and in code as experimental and make clear it will be reworked in a future release. Also, make it opt-in to make it less likely people come to rely on it without reading up on it, and understanding that it will likely change sooner or later. Follow-up for: #22043 See: #22390
This commit is contained in:
parent
c2c7eea1e9
commit
deb5c820ca
11
NEWS
11
NEWS
|
@ -52,6 +52,17 @@ CHANGES WITH 251:
|
|||
or ID field of /etc/os-release or another suitable identifier before
|
||||
deploying the image.
|
||||
|
||||
* sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
|
||||
loader.conf that implements booting Microsoft Windows from the
|
||||
sd-boot in a way that first reboots the system, to reset the TPM
|
||||
PCRs. This improves compatibility with BitLocker's TPM use, as the
|
||||
PCRs will only record the Windows boot process, and not sd-boot
|
||||
itself, thus retaining the PCR measurements not involving
|
||||
sd-boot. Note that this feature is experimental for now, and is
|
||||
likely going to be generalized, renamed and removed in its current
|
||||
form in a future release, without retaining compatibility with its
|
||||
current implementation.
|
||||
|
||||
* The --make-machine-id-directory= switch to bootctl has been replaced
|
||||
by --make-entry-directory=, given that the entry directory is not
|
||||
necessarily named after the machine ID, but after some other suitable
|
||||
|
|
|
@ -206,8 +206,11 @@
|
|||
<varlistentry>
|
||||
<term>reboot-for-bitlocker</term>
|
||||
|
||||
<listitem><para>Work around BitLocker requiring a recovery key when the boot loader was
|
||||
updated (enabled by default).</para>
|
||||
<listitem><para>Caveat: This feature is experimental, and is likely to be changed (or removed in its
|
||||
current form) in a future version of systemd.</para>
|
||||
|
||||
<para>Work around BitLocker requiring a recovery key when the boot loader was
|
||||
updated (disabled by default).</para>
|
||||
|
||||
<para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found
|
||||
and Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal>
|
||||
|
|
|
@ -1549,7 +1549,7 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
|
|||
.editor = TRUE,
|
||||
.auto_entries = TRUE,
|
||||
.auto_firmware = TRUE,
|
||||
.reboot_for_bitlocker = TRUE,
|
||||
.reboot_for_bitlocker = FALSE,
|
||||
.random_seed_mode = RANDOM_SEED_WITH_SYSTEM_TOKEN,
|
||||
.idx_default_efivar = IDX_INVALID,
|
||||
.console_mode = CONSOLE_MODE_KEEP,
|
||||
|
@ -1983,6 +1983,9 @@ static EFI_STATUS boot_windows_bitlocker(void) {
|
|||
UINTN n_handles;
|
||||
EFI_STATUS err;
|
||||
|
||||
// FIXME: Experimental for now. Should be generalized, and become a per-entry option that can be
|
||||
// enabled independently of BitLocker, and without a BootXXXX entry pre-existing.
|
||||
|
||||
/* BitLocker key cannot be sealed without a TPM present. */
|
||||
if (!tpm_present())
|
||||
return EFI_NOT_FOUND;
|
||||
|
|
Loading…
Reference in a new issue