Slashdot Mirror
Dual Boot Not Trusted, Rejected By Vista SP1
Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system.
The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."
What happens on systems without a TPM?
Dual boot systems generally aren't a pain to setup (unless you load Windows second and it overwrites your boot sector). Dual boots are well documented and many people know to load Windows first and then load Linux second and replace the boot sector with LILO or GRUB so you can boot into your choice. It's only Windows that doesn't give choice (as per usual).
This is my sig. There are many like it but this one is mine.
Does one of the more popular Vista cracks not rely on booting Grub4Dos to load a bit of code to patch the kernel after boot?
I am thinking this will be affect the crack.
Before anyone says it, no, I am not running a pirate version of Vista, so I cannot check. In fact... not running any version of Vista, joy!
Has anyone tried this with Boot Camp? I had no problems with Mac OS X and FileVault dual-booting with either XP SP2 or Vista base.
It's only Windows that doesn't give choice
I have heard that is a feature that we pay extra for.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
In which case you can no longer trust linux.
Good thing I'm running Mojave and not Vista.
MABASPLOOM!
So... yeah. Anyone technical enough to change their bootloader should know how to put it back temporarily so it can get updated.
If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L.
I thought that was the entire point of BitLocker - don't unlock things unless you know that you're not running on top of some evil VM.
And no TPM in the laptop.
That's the whole point of the problem, TPM has begun causing issues. You don't have TPM, so you are not affected.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I'm hoping some joker with the next viable vista virus uses it to trigger trusted computing into locking machines.
Lets see vista's adoption rate when word gets out it bricks your entire system if you get a virus.
If you are using BitLocker then you want your data to be secure. There are probably ways that a compromised boot loader can allow an attacker access to your data. Vista closes this security hole by requiring the boot loader to be a cryptographically signed binary that it trusts. If it didn't, this story would instead be "Vista BitLocker encryption not secure on dual boot systems".
That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.
Are so few people dual booting Vista and Linux that this story hasn't hit Slashdot until now? Is it even still applicable?
Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
no, you just have to have a version of Vista that supports BitLocker, whether it is on or off. Enterpise and ultimate are the only versions that support BL, so they are the ones that need the KB which is prerequisite to SP1 install (because SP1 upgrades some bitlocker features). Never Trust Trustworthy computing. it hasn't earned it.
Comment removed based on user account deletion
This *may* be a corner case as most TPM's were shipped in the disabled state back when XP was still shipping.
Instead, how about testing the open source BIOS stack? Most of you have an unused box of recent vintage and I'm sure the projects can use the feedback.
FYI: An open sourced bios is an Achilles heel for Microsoft. Mobo OEM's will **jump** on a Free bios because it saves them money and elminating TPM saves them much more money.
Get involved!!
http://www.coreboot.org/Welcome_to_coreboot
http://openbios.info/Welcome_to_OpenBIOS
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
c:\> FDISK /MBR /dev/hda1
Out of Memory
c:\> format c:
Out of Disk Space
c:\> edlin config.sys
File not found
c:\> set PROMPT=$
$ mke2fs
I thought it was: Shit Out of Luck
which is not in your list.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
The ONLY flaw I see in the entire Vista/TPM system is that users don't seem to have a way of manually trusting things they genuinely want to trust. If it hasn't been blessed by MS its not trusted -- that's a fine policy for general users, but if I, as the hardware want to trust a specific bit of code (e.g. the linux boot loader) then I should be able to manually sign it somehow, and add my personal key to my personal install of Vista. And then the grub bootloader I signed will be trusted on my (and only my) PC.
All the 'chatter on the internets' is currently centered around how to disable UAC, how to disable driver signing, how to go back to running windows as insecurely as possible. i would prefer to see the discussion take a more intelligent direction -- how to obtain keys/certificates, how to add them to Vista's chain of trust on a per PC or per domain basis, and how how sign code with them.
Signed drivers are a FANTASTIC idea. not being able to sign drivers myself for my own hardware is EVIL. But MS --does-- have programs in place to let you sign code with 'development drivers' which are designed to only be valid on your PC... its just that most of the discussion surround the issue is how to disable it, and how evil MS for deciding what is blessed and what is not.
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
I'm confuse why anyone would dual-boot Vista. Dual booting Windows to have a game machine is simply practical, but Vista sucks vs XP as a game platform - it's slower and takes far more resources to run at all (and if you didn't have resource limits, you'd just have 2 boxes). Why would you do this?
Socialism: a lie told by totalitarians and believed by fools.
I have Vista Enterprise on a dual boot laptop with a TPM that I have never enabled. Installing SP1 did nothing adverse to the dual boot capability.
Does anyone else remember when Quicken a few years ago would overwrite the MBR or something like that, and break dual-boot systems?
What would that do in this case? Brick windows until reinstall?
I thought it was bad of Microsoft to intentionally not read Mac floppy disks. I feel the dual-boot issues (minus BitLocker security issues in this specific case) with windows and linux (or any other OS) are just another example of that same mentality: Make it difficult to work with other systems, to try and keep people locked into the MS trash can for as long as possible.
Don't steal. The government hates competition.
Native hardware support. You can't use specialized hardware (like tuner cards, but there are others). In particular, you can't use 3D acceleration at all unless you fork over for VMWare, and at that it's nowhere near perfect.
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
I won't use it. I just bought a laptop on Ebay, brand new, out of box, that came with the Home edition, great bargain at $421. First thing I did with it was actually start it up and say "No" on the AUP acceptance page. I immediately powered it off, put in my trust Ubuntu Hardy 64-bit install cd, wiped the disk, and installed a real operating system that will stay the fuck out of my way.
Sorry, Microsoft, but I'd call this Epic Fail. Trusted computing causes me to lose control of *my* computer. Problem is, Microsoft don't understand the definition of computer ownership.
Linux with ntfs-3g has been supporting full read/write on ntfs for some time, and works out of the box on my ubuntu hardy machine anyways.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
(I, however, use the Windows boot loader.)
That, Sir, is frigging awesome.
I feel guilty for actually wanting this to happen for a split second.
As long as there are slaughterhouses, there will be battlefields.
Two words: filesystem support.
Boot up Linux and all the stuff on your NTFS partition is read-only.
What? You know, Linux has had full NTFS Read/Write support for a while now, see :
http://www.linux-ntfs.org/
Also, ever heard about WUBI ?
jdb2
Yes, our family laptop is Vista Ultimate and Ubuntu, set up this way, and took Vista SP1 without a hiccup. Have Vista's bootup load the linux GRUB bootloader.
Ubuntu's Wifi is much more reliable on the same hardware, but Ubuntu won't run Adobe CS3 properly.
Because most new machines come with Vista preinstalled. Not XP.
Not to mention it's fairly easy to get Windows to read ext2/3 partitions with the extfs driver.
Put windows on the first hard drive, then install linux on the second hard drive. Setup grub so it chainloads the windows boot record (for one of the options), and finally make your bios boot off the second hard drive.
Then Windows is happy and ignorant of its true surroundings.
Thats how my dualboot desktop at home is setup.
Just games? There are lots of people who run windows as their primary OS (because it's what they are used to after spending 15+ years on a MS platform, or maybe because there are apps they rely on that aren't available elsewhere), and they dual boot Linux because they want to be able to hack around, learn more, and generally have fun.
Taking an interest in Linux does not automatically mean somebody will abandon Windows the next morning.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
If I read TFA correctly, you need to have been using your TPM to experience this problem?
I have not been using my TPM and I was scolded on Monday about not using TPS report coversheets. Are the two related?
Thanks, Peter Gibbons
GRUB includes a bios hack to allow this. without looking it up, I believe it is the "map" command. I've done this with XP just fine. It's only the Windows boot loader that's too stupid to understand that it's on a second drive. The rest of Windows understands it and just doesn't care.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Beware : the new Intel ICH10R has an integrated TPM.
This is by design. If you are into the secure boot stuff you'll know why.
This is not about DRM and such (but may be) but about *your* data encrypted by BitLocker (the DRM is about protecting *somebody else's* data from you - that is why it is flawed concept).
Right now there are some kinds of attacks that let you compromise the entire system right from boot (using other than approved bootloader and unsecure boot proces) puting it into hypervisor and thus being able to retrive keys and such directly from memory.
In fact I don't see any other option as to control entire boot proces. And if you wish to control it you need to use tools that support it.
So in fact it is not a Bad Thing. It could be a bad thing if you are casual-security user - but this 'casual security' is not so secure isn't it?
I bet BitLocker documentation covers that. But why bother checking? It is better to set the "secure" option to "on" and dumbly belive it.
...dual boot Vista Ultimate 32-bit/OpenSUSE dev box at the office, I've got SP1 installed and haven't had to touch my bootloader (which works just fine by the way) and Vista works fine as well (in other words it works the same as before ;)...) I thought I was missing something so I read the actual article and it claims (unless I did miss something) that the problem occurs whether you use Bitlocker or not.
Loading...
Many desktop motherboards give the option of booting from specific hard drives. That's the option I use. I install the OS on a hard drive as if it were the only OS, then choose the hard drive while booting up. The downside is, I have to remember which of my 3 drives has which OS.
I'm running Vista Ultimate 64bit with GRUB for Ubuntu, but BitLocker is turned off. No problems here thankfully.
The default install on any consumer laptop comes with so much crapware that you need to reinstall Windows just to make it usable - why choose Vista?
Because, like the parent said, you've already bought Vista when you bought the machine. Why buy another copy of Windows?
When our name is on the back of your car, we're behind you all the way!
That's TBD. A meeting is TBA.
TTFN.
Date of article you reference: October 13, 2006
Date of KB935509 update which breaks this: January 7, 2008
Intron: the portion of DNA which expresses nothing useful.
Does it prevent you from reinstalling? Then your system is bricked. If not, please quit misusing the term.
Hardware is cheap, so build more than one box for specialized tasks.
"Cheap" is very relative. If we go by what I consider cheap, I'll say that people would rather dual-boot than build a second box using garbage hardware. For myself, building the second box just never happens because there's always more upgrades that need to be done to my primary box that take up the extra funds available for system upgrades. If your secondary box for "specialized tasks" can do with hardware that's 2-3 years old, sure then you just use old hardware from the main box after you upgrade. I think it's pretty safe to assume though that for those people dual-booting, this is not the case.
Then there's also the issues of where to put the second box, getting all the peripherals for the second box (or shelling out still more money for a not-cheap KVM switch that reliably works every time), etc. etc.
In the end it's pretty easy to see why people just dual-boot.
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
That's nice. The Windows idea of supporting it is "go look on technet" versus
the Linux version where it's already built-in and configuration is done for
you automatically.
This precisely the stupidity that Windows trolls like to accuse Linux of
subjecting the end user to.
A Pirate and a Puritan look the same on a balance sheet.
Refuses to boot? Vista even refuses to INSTALL on a hdd that it doesn't believe is the "first" drive. It won't tell you why, either. It just says the partition doesn't meet its "criteria". Unplug the other hard drive and try again, and all of a sudden it works. Ignorance of surroundings is REQUIRED for a Vista installation. Use the BIOS boot selector (instead of messing with GRUB) after each individual OS is installed.
Is that the whole security premise of "trusted bootchain" is wrong.
Granted, that's one way of infecting a machine. But we haven't seen BIOS bootsector-type viruses since the 80's. Why would you write a bootsector virus when you can just crack the host OS?
Vista is huge, and having a secure bootchain won't change the fact that it's probably riddled with security holes anyway. Someone able to reverse engineer the checksumming code can simply modify the checksummer so that the bootchain always passes validation. What is to stop virus running with administrative user priveledges from modifying this key system binary (probably a DLL, at that!) under the auspices of a "system update"?
So what you get is an OS which can be modified to report that it is secure, when in fact it is not. This is the whole problem with the "trusted computing" initiative - others - presumably media companies - are trusting your machine to tell them that it is secure. It's a broken security model from the outset - who's to say you aren't running Windows in a virtual machine? - and only inconveniences the users.
The society for a thought-free internet welcomes you.
> Never Trust Trustworthy computing. it hasn't earned it.
Trusted Computing.
There's a big difference between Trusted and Trustworthy. As this update proves.
most people are content to leave it at that
First thing I did on the three systems I bought this last year was kill Vista and install XP. Yes it was from a pirate copy, but Microsoft has gotten their tax off me for THREE different systems so FUCK THEM. I am using a Microsoft OS. I am using one that is, in the words of Daft Punk, Harder Better Faster Stronger. (Okay, so the middle two are the most accurate.)
The big problem is the fact that despite providing XP drivers less than a year ago for these systems, now the various manufacturers basically say "Fuck you" if you ask them for help (some say it more politely than others) and leave you to sort it out yourselves. I got an HP laptop recently. Brand new. Had Vista on it. I tried it. After 20 minutes I was tearing my hair out with, among other things, the pathetic hand holding masquerading as security, so I dug out my XP disk.
It took me SIX HOURS to find drivers that had everything working. (And another few to refine driver versions to make stuff work WELL.) That's just the core stuff as well. Wireless, graphics, sound etc... Little things, like the fingerprint lock thing, I've never found drivers for. It is an absolute nightmare to get drivers for new systems these days, especially laptops. Basically you're relying on other peoples experiences, experimentation and message board postings to find stuff that works. You just have to hope that someone before you has gotten your model sorted.
Worst by FAR was the nVidia drivers for the graphics. Almost NONE work. Even hacked ones I found to support a wider variety of chipsets. (I must have had to reboot with the "use previous known good configuration" god knows how many times.) I must have tried 20 different sets of drivers before finding the one set that would actually work! (When I have issues with games now and folk immediately say "upgrade your graphics drivers" I just sit and weep in the corner muttering "the horror... the horror" quietly to myself.)
Hardly a surprise most people are content to leave it at that given "upgrading" to XP has been made so treacherous and complicated.
right now, im running windows vista sp1 ultimate and gentoo 2008.0, booting via grub (chainloader for vista) and it works perfectly well...
why hasnt the information in this article been checked for that thing called... the truth?
portfolio
Might as well be bricked to Joe Average Consumer. They dont know how to stick a Vista CD into the drive and reinstall without dragging it into a computer shop telling the guy its broken and to fix it.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
Windows allows multi-OS booting; yes, even Vista allows it. You just have to know how to do it; just like any dual boot scenario.
False. Your solution requires hackery, while many Linux distros together with most things except Vista takes care of setting up dual-boot during the installation process.
Because their customers want them to.
Using the Windows boot loader to chainload code off another partition is, AFAIK, impossible.
Besides, in Vista the nice, easy-to-modify boot.ini file is gone. It is replaced by yet another binary registry-like database. Typical Microsoft.
Trusted !=Trustworthy. In the intelligence community, a "Trusted Party" is a party that knows enough to backstab you. That is all "Trusted Computing" implies.
Our lab technicians were upgrading vISTA PC's to use the department's standard linux build. For whatever reason, the BIOS wouldn't allow the LINUX install DVD to BOOT. So they had to remove the hard disk drives out of the PC's with built-in TRUSTED SECURITY BIOS'S, pop them into an older untrusted XP system, and then install the linux build and put the hard disk drive pack in again. IT's a pain, but if OS vendors are going to install security measures without consulting their users, this is what is going to happen. Everyone is going to think of ways of getting around these "security measures".
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Never name a piece of spacegoing hardware anything that rhymes with "trouble".
Also, never trust any technology that rhymes with "busted".
The higher the technology, the sharper that two-edged sword.
I have Vista Enterprise in a dual-boot laptop with TPM and grub as the primary boot loader, and SP1 installed without any problems at all, and never altered the boot loader. It's 64-bit Vista, which is typically even more stringent with the code checks than 32-bit.
Were Microsoft not attaching it to a KB article, I'd have called it FUD, but I will say that I have not experienced it at all.
You can never go home again... but I guess you can shop there.
http://port25.technet.com/archive/2006/10/13/Using-Vista_2700_s-Boot-Manager-to-Boot-Linux-and-Dual-Booting-with-BitLocker-Protection-with-TPM-Support.aspx
The old way was to boot linux from a floppy. Confused users were able to grasp the concept that if the floppy was in it would start in linux and out it would start in MS Windows. Can't this concept be reapplied and just set the BIOS to boot from a USB stick and put the bootloader on there?
Software like Vista Ultimate with BitLocker is aimed at the corporate environment. If I'm a network admin, I don't want some jack hole dual-booting anything on my network. He doesn't need a Linux partition on his workstation. I might want laptops with TPM and BitLocker for the sales staff so that when they get drunk and lose their laptops with the customer list on it, I can rest relatively soundly knowing that the data is secure.
It is obvious that Microsoft does not care about the individual end user who wants complete control over their computer. That is okay with me. Maybe I've been drinking too much of the Kool Aid but I'm happy with HP hardware running a Microsoft OS. I like the fact that they make it a complete PITA for the end user to do anything to their workstation. It makes my job easier. 95% of the corporate computing world can get by with an office suite, a web browser and access to a couple of custom apps (financial, inventory, manufacturing, and what not). They don't need to be playing stolen mp3s that they got from Pirate Bay, watching DVDs on their lunch breaks, or dual-booting their damn desktops.
Where are all the gripes about how Server 2003 sucks? How about the gripes about IIS6 getting owned all over the place? They aren't there because Microsoft is focusing their attention where they need to focus it... on the administrators responsible for hundreds and thousands of workstations and servers. Does anyone really think that the folks at Microsoft stay up late at night wringing their hands over corporation versions of their workstation software not dual-booting a third party OS? Seriously guys... what portion of the Vista Ultimate/Enterprise user base do you think is negatively impacted by the change? 1%? 3%? I'm not talking about the developers who need ten thousand OSes on their machines "for development purposes." I'm talking about the cubicle drones who work 8-5 running a couple of applications.
I can find no way to get my application X added to a trust chain and thereby be trusted and usable. If Microsoft has a trust chain, then since they are a monopoly they should be required to accept trust requests and add them if they meet valid requirements for trust.
In other words the GRUB developers should be able to get a trust certificate so that windows boot loader accepts it as trusted, but I can't find out how to even get one.
How many Vista Enterprise or Ultimate users really dual boot? Since this article is dated four months ago and this is the first we're hearing about it, I'm guessing not many.
Vista wouldn't reinstall from OEM discs on my Dell notebook, because I was running GRUB?? That just about gold-plates my hunch. Now, Vista won't run on ANY computer I own because Ubuntu 8.04 is my operating system of choice. It simply does not pay to trust an OS whose future operation is subject to policy whims and random paranoid vagaries by a third party, in this case, Microsoft. I would be happy to join any class action lawsuit that result from this disclosure, but no inducement is sufficient to make me trust Vista again.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
I have a dual-boot setup with Ubuntu 8.04 and Vista Ultimate. Linux was loaded first then Vista with the bootloader replaced with EasyBCD v1.72 from NeoSmart. Service Pack 1 installed w/o any problems at all.
I once soldered together a system using a (keyed) switch with enough contacts to allow me to effectively swap the master and slave jumpers on two hard drives. (The key part helps because you'd only want to do it when the system was powered off!) But the end result is dual booting between two dedicated hard disks, that aught to stump vista!
If you don't risk failure you don't risk success.
I multi-boot with several 64-bit Linux distros and 64-bit Ultimate Vista on a Dell Vostro 400 I bought back in February (does this have the TPM stuff?). Grub is installed on the MBR and I don't have BitLocker enabled in Vista (why would I - can't read the disks in Linux if I did!). I installed Vista SP1 when it came out and had absolutely no problems (I may have had to re-install GRUB on the MBR, but I do that so often that I consider it no big deal). So am I the odd one out?
It is time to take note that Red Hat, SuSe and Ubuntu are still using legacy GRUB since the new GRUB 2 does not seem to be ready for prime time.
Legacy GRUB is not being developed any longer, even patches are not accepted. The project had no developers working on it for the past 3-4 years. The major distros have just forked it without saying so. And it is a company fork, each distro has its own conconction.
QUOTE: GRUB Legacy has become unmaintainable, due to messy code and design failures. :UNQUOTE
Who said that? Not Microsoft, check here: http://www.gnu.org/software/grub/grub-2-faq.en.html
...that "good enough for government work" used to mean that the work was really good. Kinda funny if it's true.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
I'm failing to see why this is a big deal. Software is in place to check for a piece of third party code intercepting your encryption key... It successfully detects GRUB as such software, and stops. So what?
This is a flaw of the trusted computing architecture. If the partition of the trusted OS (Vista) is encrypted, Multiboot does not break trust, because the other OS cannot decrypt the partition. But in trusted computing, if an untrusted bootloader loads a trusted OS the chain of trust is broken.
If trusted computing were designed with the user's interest in mind, the user would be able to decide that the bootloader he is using (grub) is trusted, sign it with a key which enables that bootloader only on his computer, and get on with his life. But now we have to wait for Microsoft to implement and sign a real bootloader... good luck with that.