0

Due to a problem with my dual boot setup (Windows 11 Pro and Linux Mint), I needed to deactivate the PCR 4 from the Bitlocker Group Policies in order to not type in my Bitlocker recovery password every time I log into Windows.

More information on it can be found here, BitLocker group policy settings, at the "Configure TPM platform validation profile for native UEFI firmware configurations" part.

As for my dual boot setup, it is this one, [SOLVED] Dual booting Mint on a second drive independently, but with both drive encrypted with Bitlocker and LVM + LUKS for Linux Mint

The encryption guide I followed, Dual Booting Ubuntu With Windows 10 Pro With BitLocker Encryption.

What is going to be the impact in terms of security? I also needed to deactivate the PCR 7 "Secure Boot" to enable a dual boot setup, can you explain to me what this implies as well? What kind of attacks can still be used?

I just wanted to prevent my data from being recovered by some random coffeeshop thief, so I won't expect much security issues, I'm just generally interested in understanding how all of this is working. But the documentation isn't clear and I can't seem to find more informations on this. I think I might be the only one dumb enough to do that kind of setup.

Anyway, thanks in advance and have a great day !

Improve this question
2
  • Add a more memorable BitLocker password then, instead of using the TPM protector. Check out the manage-bde command for full customizability.
    – Daniel B
    Commented Jul 19, 2022 at 16:47
  • My Bitlocker is TPM & PIN protected with an enhanced random passphrase generated with the dice method as a pin. Thanks for the tip still and for your time !
    – MathisGauthey
    Commented Jul 20, 2022 at 13:10

1 Answer 1

Reset to default
0

PCR 4 is the register that logs the exact hashes of all *.efi files involved in the boot process. Meanwhile, PCR 7 is the register that logs which CA certificates were used to validate Secure Boot signatures (e.g. it can distinguish "Windows CA" from "UEFI Third-party CA").

(Compare PCR 4 to ssh/known_hosts which remembers exact keys, and PCR 7 to web browsers which use CA certificates.)

The impact of disabling both PCR 4 and PCR 7 is that anyone will be able to swap the legitimate Windows bootloader with a "customized" version that gets the BitLocker key from your TPM as usual and then gives it to the attacker (allowing the disk to be decrypted), with relatively little difficulty.

It's probably still beyond the level of "yoink, wipe, and sell" thieves, but not something I'd trust with sensitive data.

Dual-boot with BitLocker doesn't require disabling either of those as long as you select Windows/Linux directly through the firmware boot menu (i.e. not starting Windows via GRUB).

Improve this answer
4
  • Thanks for the insights, it answers all of my questions. I just can't stand going into my BIOS every time I change my OS as I'm rotating it quite often between work and gaming. Is there any convenient way that you are aware of like GRUB to make the change while keeping PCR 4 and 7 activated ?
    – MathisGauthey
    Commented Jul 20, 2022 at 13:13
  • I wasn't talking about going into Setup and changing the boot order, I was talking about the "direct" menu that you get when pressing F8 or Esc (or F11, or F10, or...) But if you don't want to use that, then the easiest alternative is to have your current OS tell UEFI to directly reboot into another OS without using the boot menu. Assuming Linux (GRUB) is the default option, run efibootmgr to find the Windows boot entry ID, run efibootmgr --bootnext 0002 to set it as the "next boot" entry, and reboot as usual.
    – grawity_u1686
    Commented Jul 20, 2022 at 13:19
  • PCR4 should mostly work with GRUB, normally you will only need the BitLocker recovery if something changes – e.g. if GRUB gets updated, or if Windows BOOTMGR gets updated. On the other hand, PCR7 will never work with GRUB or any other external bootloader (even if it's Secure Boot-signed), as BitLocker is intentionally programmed to only rely on PCR7 if it indicates that only the "Windows CA" was used in the boot process. (That's mentioned in Event Viewer and in the MS docs somewhere.)
    – grawity_u1686
    Commented Jul 20, 2022 at 13:21
  • PCR4 used to work with just the dual drive setup, not the encrypted one. I guess something keeps changing in grub, maybe the Linux mint theme is doing something like that. Or maybe it is related to the fact that GRUB autosave the last boot option and pre-selects it, I think this is related to that. Anyway, I'll keep it deactivated as I now know the impact it has, it's not worth the extra complexity for my setup ! Thanks !
    – MathisGauthey
    Commented Jul 21, 2022 at 17:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .