diff options
author | Jan Janssen <medhefgo@web.de> | 2022-01-07 11:15:28 +0100 |
---|---|---|
committer | Jan Janssen <medhefgo@web.de> | 2022-01-10 16:40:16 +0100 |
commit | 661615a0afacee3545cde0a48286c0fef983f8fe (patch) | |
tree | 461f2ebc3066c9d873428db05f270f69c15c5df0 /man/loader.conf.xml | |
parent | a87e9cd79f61da25c55cac1778bfb6d533e174cb (diff) | |
download | systemd-661615a0afacee3545cde0a48286c0fef983f8fe.tar.gz |
boot: Add BitLocker TPM key sealing workaround
Fixes: #21891
Diffstat (limited to 'man/loader.conf.xml')
-rw-r--r-- | man/loader.conf.xml | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/man/loader.conf.xml b/man/loader.conf.xml index 9fdd1e78d4..579eaddebe 100644 --- a/man/loader.conf.xml +++ b/man/loader.conf.xml @@ -197,6 +197,28 @@ </varlistentry> <varlistentry> + <term>reboot-for-bitlocker</term> + + <listitem><para>Work around BitLocker requiring a recovery key when the boot loader was + updated (enabled by default).</para> + + <para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found + and Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal> + EFI variable and restart the system. The firmware will then start Windows Boot Manager + directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption + key. This allows systemd-boot to be updated without having to provide the recovery key for + BitLocker drive unlocking.</para> + + <para>Note that the PCRs that Windows uses can be configured with the + <literal>Configure TPM platform validation profile for native UEFI firmware configurations</literal> + group policy under <literal>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</literal>. + When secure boot is enabled, changing this to PCRs <literal>0,2,7,11</literal> should be safe. + The TPM key protector needs to be removed and then added back for the PCRs on an already + encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed + up booting into Windows.</para></listitem> + </varlistentry> + + <varlistentry> <term>random-seed-mode</term> <listitem><para>Takes one of <literal>off</literal>, <literal>with-system-token</literal> and |