Any deviation from the expected boot process will prevent BitLocker from accessing the volume key in the TPM. One reason this behavior exists is to prevent malicious code from being loaded (such as via booting first to CD / USB / PXE, loading malware, and then continuing to boot to Windows). So what's happening here is the deviation from firmware -> PXE -> HDD is detected and the volume key is not released. There is no circumventing this behavior. --Ian> Date: Mon, 28 Apr 2014 16:35:41 -0400 > From: gene.cumm at gmail.com > To: Matthew.Taylor at chevron.com > CC: syslinux at zytor.com > Subject: Re: [syslinux] SYSLINUX PXE LOCALBOOT Bitlockers > > On Mon, Apr 28, 2014 at 4:06 PM, Taylor Jr, Matthew [U.S. Computer > Corp] <Matthew.Taylor at chevron.com> wrote: > > Label is OS and I believe there are all booting MBR. Is there a way to clear the memory then continue loading ? or rebooting the machine from the menu. > > No, the entire LABEL stanza including its LOCALBOOT/COM32/KERNEL and > APPEND lines as applicable. > > -- > -Gene > > A: Because it messes up the order in which people normally read text, > especially the archives of mailing lists. > Q: Why is Top-posting such a bad thing? > > > > -----Original Message----- > > From: Gene Cumm [mailto:gene.cumm at gmail.com] > > Sent: Monday, April 28, 2014 1:04 PM > > To: Taylor Jr, Matthew [U.S. Computer Corp] > > Cc: syslinux at zytor.com > > Subject: Re: [syslinux] SYSLINUX PXE LOCALBOOT Bitlockers > > > > On Mon, Apr 28, 2014 at 3:37 PM, Taylor Jr, Matthew [U.S. Computer > > Corp] <Matthew.Taylor at chevron.com> wrote: > >> Hello; > >> > >> I use Bitlocker on my machines and I notice that when I am in my PXE Menu and I select "Boot to Local Hard Drive" it continues on then bitlockers. I am assuming that the syslinux is still in memory, bitlocker is being triggered because of the change. I need a solution to overcome this. I cannot remove bitlocker from the machines. > > > > What does your LABEL look like? Are you booting the MBR or VBR? > > > > -- > > -Gene > > _______________________________________________ > Syslinux mailing list > Submissions to Syslinux at zytor.com > Unsubscribe or set options at: > http://www.zytor.com/mailman/listinfo/syslinux
On Tue, Apr 29, 2014 at 2:43 PM, Ian Bannerman <ian at internals.io> wrote:> Any deviation from the expected boot process will prevent BitLocker from > accessing the volume key in the TPM. One reason this behavior exists is to > prevent malicious code from being loaded (such as via booting first to CD / > USB / PXE, loading malware, and then continuing to boot to Windows). So > what's happening here is the deviation from firmware -> PXE -> HDD is > detected and the volume key is not released. > > There is no circumventing this behavior. > > --IanI started wondering if you could use a TPM for key management but disable the system integrity check. http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_WhatIsBitLocker seems the closest to saying no (though indirectly). The wording of "On computers that have a Trusted Platform Module (TPM) version 1.2 or 2.0, BitLocker uses the enhanced security capabilities" doesn't say it's optional. -- -Gene A: Because it messes up the order in which people normally read text, especially the archives of mailing lists. Q: Why is Top-posting such a bad thing?
That's a great question, actually, I should have remembered to mention that! You can control what factors are used for the TPM's integrity check to release the bitlocker key on boot. Depending on whether your on a BIOS or EFI machine, there are slight differences, but definitely controllable by group policy. http://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx#BKMK_depopt3 I have not tried to disable whichever one of the PCRs prevents boot deviations, but it may very well be possible. You can find more documentation on the PCRs in the TPM spec: http://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx#BKMK_depopt3 Bear in mind though that this would make it trivial to load malicious code before boot, defeating a key piece of BitLocker's protection. For example, anyone could pop Kon Boot into the machine and skate through login, something that would be blocked were this particular protection not disabled. I hope that helps, good luck!--Ian> Date: Fri, 2 May 2014 19:08:27 -0400 > From: gene.cumm at gmail.com > To: ian at internals.io > CC: syslinux at zytor.com; matthew.taylor at chevron.com > Subject: Re: [syslinux] SYSLINUX PXE LOCALBOOT Bitlockers > > On Tue, Apr 29, 2014 at 2:43 PM, Ian Bannerman <ian at internals.io> wrote: > > Any deviation from the expected boot process will prevent BitLocker from > > accessing the volume key in the TPM. One reason this behavior exists is to > > prevent malicious code from being loaded (such as via booting first to CD / > > USB / PXE, loading malware, and then continuing to boot to Windows). So > > what's happening here is the deviation from firmware -> PXE -> HDD is > > detected and the volume key is not released. > > > > There is no circumventing this behavior. > > > > --Ian > > I started wondering if you could use a TPM for key management but > disable the system integrity check. > http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_WhatIsBitLocker > seems the closest to saying no (though indirectly). > > The wording of "On computers that have a Trusted Platform Module (TPM) > version 1.2 or 2.0, BitLocker uses the enhanced security capabilities" > doesn't say it's optional. > > -- > -Gene > > A: Because it messes up the order in which people normally read text, > especially the archives of mailing lists. > Q: Why is Top-posting such a bad thing? > _______________________________________________ > Syslinux mailing list > Submissions to Syslinux at zytor.com > Unsubscribe or set options at: > http://www.zytor.com/mailman/listinfo/syslinux