I’m in the process of attempting to set up TPM FDE for a computer shared with a small team. The idea seems to be a better fit since I don’t need to share the encryption key with the other users.
The issue that I’m seeing is that I also want to be able to install Windows 11 on this computer. Since the Windows 11 installer wipes the TPM I now need to type the recovery code in everytime Ubuntu boots.
Is there a way to have the two OS’s share the TPM? Or an alternative method in which I can encrypt the drive without requiring the user to know the encryption key?
I was able to find a post that looks at this with Windows 10 but with TPM and Secure boot being enforced in Windows 11 I believe this article is out of date now:
https://askubuntu.com/questions/1142803/dual-boot-ubuntu-with-luks-tpm-and-windows-10-with-bitlocker
Recently we had a discussion on this subject. You will find reading it relevant.
https://discourse.ubuntu.com/t/why-is-grub-missing-how-can-i-edit-boot-menu/51328
You also say this:
Does this mean that you have succeeded in installing both Ubuntu and Windows 11 on the machine? And that you now have some kind of dual booting?
Could you please explain the method you used? Windows already installed and then installed Ubuntu? Ubuntu with or without TPM backed Full Disk Encryption? Or was Windows installed second?
We have already determined that when Ubuntu is installed with TPM backed FDE the usual commands to update the grub configuration files (hence the Grub boot menu) do not work. In fact cannot work.
It is still to be determined (by us simple users) that the TPM can hold more than one encryption key. It could be that installing Ubuntu with TPM backed FDE also “wipes” the TPM.
Regards
1 Like
Yes! I’ve been able to install both OS on the machine on two different drives. Ubuntu first with TPM FDE, Windows second. This means that Windows has now reset the TPM and I currently am using the BIOS to manage the boot order but this is currently a POC and we would want to do grub in the future, but one step at a time.
So the configuration which we use is actually 3 OS. We have two OS for development work (Windows 11 and Ubuntu currently 22.04) and one Ubuntu for customer demos. The Two development OS are encrypted.
Since we have the customer OS we are able to configure grub on that boot partition and point it at both dev OS.
With LUKs we were able to decrypt the drive when configuring the system to find the boot partition of the dev ubuntu drive using os-probe.
Hopefully that helps with the background of what I’m able to work with.
The core of the issue which I’m seeing is that the TPM was reset after Windows was installed. I guess I’m just in the same boat as all of us simple users, not knowing if multiple keys can be stored.
When I spoke of “us simple users” I was hoping to prod someone with technical knowledge of TPM to join the conversation. That has not happened.
My laptop has TPM 2.0 and the UEFI settings utility will allow me to disable and enable TPM. It will also allow me to Clear TPM. The UEFI says “that removes all context associated with a specific owner.”
According to Microsoft Windows will take “ownership” of the TPM. I think that has happened in your case.
Will clearing the TPM break that ownership? I have no idea. I cannot make a recommendation. No experience.
Secure Boot has a database of verified boot loaders. Ubuntu developers arranged with Microsoft to get the Ubuntu Grub boot files verified and safe to use and then to be listed in the Secure Boot Database. And so we can dual boot.
I am guessing that Trusted Platform Module does things differently. We are not meant to dual boot when an operating system takes ownership of the TPM. This would especially be so with Full Disk Encryption.
When we install Ubuntu with TPM + FDE we use a method pioneered in Ubuntu Core where the Linux kernel and Grub are snap packaged and not Debian (deb) packaged.
This means that the update-grub command does not work. No dual booting. Also if we run update-grub on traditional (deb based) Ubuntu it will not detect Grub boot files in Ubuntu + TPM + FDE. No dual booting from that direction.
I think that wanting the developers to change things would weaken the security of Ubuntu + TPM + FDE. Which would lessen its attractiveness to commercial users.
Regards
From my understanding, TPM and secure boot are related but are totally different. TPM stores sensitive data, Secure boot checks the validity of the OS which is being booted.
Secure boot is a validity check that the OS has been signed using an authorised key, it is effectively a hash to prove that the OS has not been tampered with. I think even though Secure boot and TPM are normally talked about at the same time due to them both being hardware security, secure boot isn’t really important to this issue. The fact that I’m able to boot both OS proves that they are both trusted by the secure boot process.
By “Taking ownership” what I think is happening is that the TPM is cleared and loaded with the keys for the new OS, in my case windows.
So clearing the TPM is effectively just deleting the encryption key for that OS.
I may have incorrectly tagged this thread, I’m not using Ubuntu Core, I assumed that core was the common code across the different version that Ubuntu provides but after some googling it looks to be something different? Is there a way for me to check the tags and change them?
I do not think that your topic has the wrong title or incorrectly tagged. The word “core” is thrown about a lot.
It is the common code across the different versions that Ubuntu provides but there is a special use of the word “core.” It also refers to a version of Ubuntu core components that are all snap packaged. It is intended for Internet of Things devices. It does not have a desktop environment.
Just to confuse us further, there is a development version of Ubuntu Core that does have a desktop environment. It is called “Ubuntu Core Desktop.”
With Ubuntu Core and Ubuntu Core Desktop every component of the operating system is a snap package. Including the Linux kernel and the grub boot loader. There is no dual booting with these versions of Ubuntu.
Now we get to Ubuntu with TPM backed Full Disk Encryption (FDE). The developers are using their code from Ubuntu Core. So, not only do we have the TPM not able to “be owned” by more than one operating system. We also have the kernel and Grub boot loader code as snap packages.
Microsoft has never accepted Windows dual booting with anything other than anther version of Windows. This is the One Machine - One Operating System concept. Only now, there is a version of Ubuntu can also claim the One Machine - One OS concept and not for reasons of profit but for security.
Regards