For the literally dozen of people who care about the intersection of TPM remote attestation, kexec, Windows, and Bitlocker: LinuxBoot can receive the BitLocker key from the remote attestation server, which is passed to the kexec'ed Windows boot loader via a UEFI ramdisk, so there is no clear-text on the disk, not even an EFI System Partition.

Follow

@th hang on a sec; 'kexec'ed windows boot loader' ?! htf are you kexecig a windows boot loader

· · Web · 1 · 0 · 0

@penguin42 kexec_load() takes a memory map of segments and doesn't care about the actual file format (although the kexec tool does, since it has to build that map). In this case I'm actually kexec'ing a special build of edk2 called UefiPayloadPkg that then loads the windows boot loader from a ramdisk rather than the real disk.

@th So that's linuxboot->kexec->UefiPayloadPkg->windows boot loader? 'fun'
If you're running bitlocker in windows, are any of those components actually updating the tpm?

Sign in to participate in the conversation
Mastodon.org.uk

General purpose mastodon instance