Slashdot Mirror
Dual Boot Not Trusted, Rejected By Vista SP1
Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system.
The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."
no, you just have to have a version of Vista that supports BitLocker, whether it is on or off. Enterpise and ultimate are the only versions that support BL, so they are the ones that need the KB which is prerequisite to SP1 install (because SP1 upgrades some bitlocker features). Never Trust Trustworthy computing. it hasn't earned it.
This *may* be a corner case as most TPM's were shipped in the disabled state back when XP was still shipping.
Instead, how about testing the open source BIOS stack? Most of you have an unused box of recent vintage and I'm sure the projects can use the feedback.
FYI: An open sourced bios is an Achilles heel for Microsoft. Mobo OEM's will **jump** on a Free bios because it saves them money and elminating TPM saves them much more money.
Get involved!!
http://www.coreboot.org/Welcome_to_coreboot
http://openbios.info/Welcome_to_OpenBIOS
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I have Vista Enterprise on a dual boot laptop with a TPM that I have never enabled. Installing SP1 did nothing adverse to the dual boot capability.
Linux with ntfs-3g has been supporting full read/write on ntfs for some time, and works out of the box on my ubuntu hardy machine anyways.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
Two words: filesystem support.
Boot up Linux and all the stuff on your NTFS partition is read-only.
What? You know, Linux has had full NTFS Read/Write support for a while now, see :
http://www.linux-ntfs.org/
Also, ever heard about WUBI ?
jdb2
Just games? There are lots of people who run windows as their primary OS (because it's what they are used to after spending 15+ years on a MS platform, or maybe because there are apps they rely on that aren't available elsewhere), and they dual boot Linux because they want to be able to hack around, learn more, and generally have fun.
Taking an interest in Linux does not automatically mean somebody will abandon Windows the next morning.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Informative gives Karma but Funny doesn't. Therefore, people who appreciate the post and wish to give the user some karma will choose Informative.
Intel Macs use EFI instead of a BIOS, and EFI uses GUID Partition Tables (GPT) instead of MBR.
The space that the MBR used to sit in is reserved in GPT, so when a legacy system reads, uses, or modifies the partition table, it only changes the old MBR partition table, which is not actually used to boot. In contrast, Boot Camp's dual-boot features only use the GPT, which means that as far as Vista knows, it IS the only boot loader involved.
Not at all....
Booting is handled by the EFI, and any operating system booted under the legacy BIOS emulation wouldn't be able to do a thing about it!
Its only in Vista Enterprise or Vista Ultimate, which support disk encryption.
Intron: the portion of DNA which expresses nothing useful.
Date of article you reference: October 13, 2006
Date of KB935509 update which breaks this: January 7, 2008
Intron: the portion of DNA which expresses nothing useful.
No, they do. I think a lot of people here misunderstand what TPM is meant to actually do and what it's supposed to be good for; and what it is useless for. (Frankly, I'm not sure Microsoft fully understood.)
It's because the MBR has *changed* that means the chain isn't signed with something that will allow the system state register to authenticate with the TPM key storage; the register contents will have changed because the SHA-1 fingerprints changed, so you're not going to be able to get a coherent response from the TPM regarding any keys you've stored in it if you've taken ownership already. Without resetting the token and destroying the keys, that is.
You want another way of doing this? Don't take ownership of the TPM to store the keys, but put 'em on a thumbdrive and use a secure passphrase (10 word Diceware, for example) to unlock them; this is also a supported mode of operation under BitLocker (assuming you trust the Elephant diffuser as being part of a reasonable cipher mode; frankly, I'm not that happy with it and prefer OCB or XTS modes, or failing that Linux's aes-cbc-essiv:sha256)... doing it the "thumbdrive way" is highly recommended when a TPM isn't available or wanted. Putting the hard disk encryption keys in the TPM isn't necessarily a good idea; they are recoverable given some effort, and that's not really what the TPM tech is for.
This is all entirely by design; it's closing an actual security hole whereby a trojaned MBR could capture your encryption keys. Obviously this is unsuitable for any dual-booting setup. TPM just isn't designed to work with that kind of scenario; it's really more of a system for verifying extremely stable system images such as you might find on a server or tightly-controlled corporate workstation that you want to be able to have a reasonable degree of confidence hasn't had the MBR tampered with because it's a trusted client that handles classified data (and any tampering with the software whatsoever would decertify it).
You control the chain of trust when you take ownership of the TPM; they do work just fine with Linux, and Linux does have support for them - if you want to know and prove to another system that the bootloader, BIOS, and kernel haven't changed since the state you knew was good, you can do that (although the proof is only as good as the integrity of the TPM).
They're just hardware tokens coupled with a signed BIOS/bootloader/kernel, really. Handling the actual key management that results from that, or what you do with it, is entirely up to you.
Vista using the TPM for BitLocker is hardly plug-and-play, and quite unsuitable for many scenarios (many TPMs out there don't even support TCG1.2); there's always TrueCrypt or PGP Whole Disk Encryption or one of the many other solutions available if you want a little more flexibility and control.
In particular, it's not really about DRM. None of the DRM systems proposed or deployed have ever used it, or are likely to ever use any part of it, as a key storage blackbox, because an entirely homogeneous image just isn't something you can guarantee on any consumer box (that's one reason it's not even on or in the vast majority of OEM and consumer motherboards/chips). It's perhaps a bit more practical for laptops...
Also, TPM implementations are quite breakable where the attacker has physical access and ownership of the machine and plenty of time. PCs aren't even consoles, and look what we've done to those...
It's meant to be one interlocking part of a whole enterprise security solution. It sure as heck isn't a "magic crypto chip" that will lock up your PC, and it shares none of the common criteria with DRM scenarios (which are, of course, just as doomed if they use a hardware blackbox as if they use a software blackbox, because the plaintext is always available...). In fact, having a TPM around if you're running Linux, will at least make sure you always have a secure entropy source for /dev/random...
Too right, I just modded it informative too, and your post as well, so your ka... oh wait. whoops.
What if Tetris was invented by Nazis?
Informative gives Karma but Funny doesn't. Therefore, people who appreciate the post and wish to give the user some karma will choose Informative.
What I don't understand is why anyone would care... Slashdot Karma is competing with Kool-Aid Fun Points for score that has the least impact on my life.
The enemies of Democracy are
This should definitely be modded Informative.
I'm so excited I just made water in my pantaloons!
Oh, well heh, I think modding someone funny for being funny is nice enough for a little o' that real life karma. :)
The enemies of Democracy are
So "informative" is the new "funny"?
Damn!
Uh. Mods are now definitely literally on crack. Not behaving in an incomprehensible and unpredictable manner, they are putting the pipe to their lips and inhaling the smoke from burning crack cocaine.
Assume I was drunk when I posted this.
Uh. Mods are now definitely literally on crack. Not behaving in an incomprehensible and unpredictable manner, they are putting the pipe to their lips and inhaling the smoke from burning crack cocaine.
Name a better way to spend a Thursday morning with mod points in your account!