Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The TPM tracks the state of the secure boot and the bios, that log is stored in the TPM itself the next time you’ll try to boot into windows it will see that something happened and bitlocker will lock itself out.

Do this experiment.

Boot into any Linux live CD on a machine with bitlocker enabled.

Reboot and see what happens.



I did that last night. It didn't have any issues booting back into Windows after booting to a live USB.

I didn't change any parameters of the Windows boot option or the rest of the system.


It seems that this is a property of TPM 1.2.

> On devices with TPM 1.2, changing the BIOS or firmware boot device order

https://learn.microsoft.com/en-us/windows/security/operating...


Changing it will trigger recovery, changing it back to the original won't


Yeah I seem to recall every time I've done that it seems to auto boot fine when I change it back to what it was before.

And as mentioned it's never had issues if I did a one off choice from the boot menu.


No, the TPM doesn't retain PCR measurements over reboots, and the log (rather than the composite PCR value) is handled by the firmware and the OS and the TPM has no idea it exists.


It seems that this is a property of TPM 1.2.

> On devices with TPM 1.2, changing the BIOS or firmware boot device order

https://learn.microsoft.com/en-us/windows/security/operating...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: