Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dual Boot Not Trusted, Rejected By Vista SP1

Posted by timothy on from the that's-south-of-luckless dept.

Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system. The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."

11 of 525 comments (clear)

  1. But what if... by ivan256 · · Score: 4, Interesting

    What happens on systems without a TPM?

    1. Re:But what if... by Sancho · · Score: 5, Interesting

      Not at all true. Security isn't binary. Bitlocker alone will stop 99% of attackers who try to get at your data through physical access. The rest probably won't bother with a trojan bootloader--they'll either use rubber hose cryptanalysis or a hardware keylogger, depending upon how stealthy they want to be.

      I don't see a problem with Bitlocker using TPM in this way at all. But it should allow me to disable the bootloader check if I so choose.

    2. Re:But what if... by sweet_petunias_full_ · · Score: 4, Interesting

      Or it could just be a subtle, intentional way of censoring what somebody considers a really sensitive topic. The way it works is that first page of the posts are basically offtopic throwaway posts that get modded up by the gatekeepers to force any ontopic comments (if any) into the second page. Thus, any noobs or stray readers will not even find out why anyone would care about the topic, will be distracted by what seems a stupid, nonsensical discussion and go read something else. Thus, the extent of any negative public reaction is effectively controlled.

      --
      You can't send a takedown notice to an already printed newspaper.
  2. Vista and Mac OS? by TheMidnight · · Score: 5, Interesting

    Has anyone tried this with Boot Camp? I had no problems with Mac OS X and FileVault dual-booting with either XP SP2 or Vista base.

  3. Not trusted for a reason by naoursla · · Score: 5, Interesting

    If you are using BitLocker then you want your data to be secure. There are probably ways that a compromised boot loader can allow an attacker access to your data. Vista closes this security hole by requiring the boot loader to be a cryptographically signed binary that it trusts. If it didn't, this story would instead be "Vista BitLocker encryption not secure on dual boot systems".

    That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.

  4. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  5. Re:Only a problem if you have TPM? by Ferzerp · · Score: 4, Interesting

    (I, however, use the Windows boot loader.)

  6. Re:You can use the Vista boot loader by ashayh · · Score: 4, Interesting

    Many desktop motherboards give the option of booting from specific hard drives. That's the option I use. I install the OS on a hard drive as if it were the only OS, then choose the hard drive while booting up. The downside is, I have to remember which of my 3 drives has which OS.

  7. Re:You can use the Vista boot loader by cortana · · Score: 4, Interesting

    Because their customers want them to.

    Using the Windows boot loader to chainload code off another partition is, AFAIK, impossible.

    Besides, in Vista the nice, easy-to-modify boot.ini file is gone. It is replaced by yet another binary registry-like database. Typical Microsoft.

  8. Re:Only a problem if you have TPM? by Chrontius · · Score: 4, Interesting

    Trusted !=Trustworthy. In the intelligence community, a "Trusted Party" is a party that knows enough to backstab you. That is all "Trusted Computing" implies.

  9. Re:Except that... by mikael · · Score: 4, Interesting

    Our lab technicians were upgrading vISTA PC's to use the department's standard linux build. For whatever reason, the BIOS wouldn't allow the LINUX install DVD to BOOT. So they had to remove the hard disk drives out of the PC's with built-in TRUSTED SECURITY BIOS'S, pop them into an older untrusted XP system, and then install the linux build and put the hard disk drive pack in again. IT's a pain, but if OS vendors are going to install security measures without consulting their users, this is what is going to happen. Everyone is going to think of ways of getting around these "security measures".

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads