Slashdot Mirror
Dual Boot Not Trusted, Rejected By Vista SP1
Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system.
The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."
It will detect the lack of a TPM and notify the FBI that you are probably a terrorist.
Dual boot systems generally aren't a pain to setup (unless you load Windows second and it overwrites your boot sector). Dual boots are well documented and many people know to load Windows first and then load Linux second and replace the boot sector with LILO or GRUB so you can boot into your choice. It's only Windows that doesn't give choice (as per usual).
This is my sig. There are many like it but this one is mine.
Of course, the article says the problem exists even if you don't have the encryption enabled.... However it looks like what happens in that case is the same as what's always happened when a windows update contains a MBR change: It overwrites your third party bootloader. (Or in this latest case, forces you to do it yourself manually).
I'm failing to see why this is a big deal. Software is in place to check for a piece of third party code intercepting your encryption key... It successfully detects GRUB as such software, and stops. So what?
Has anyone tried this with Boot Camp? I had no problems with Mac OS X and FileVault dual-booting with either XP SP2 or Vista base.
It's only Windows that doesn't give choice
I have heard that is a feature that we pay extra for.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
In which case you can no longer trust linux.
Good thing I'm running Mojave and not Vista.
MABASPLOOM!
I'm hoping some joker with the next viable vista virus uses it to trigger trusted computing into locking machines.
Lets see vista's adoption rate when word gets out it bricks your entire system if you get a virus.
Probably?
If you are using BitLocker then you want your data to be secure. There are probably ways that a compromised boot loader can allow an attacker access to your data. Vista closes this security hole by requiring the boot loader to be a cryptographically signed binary that it trusts. If it didn't, this story would instead be "Vista BitLocker encryption not secure on dual boot systems".
That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.
no, you just have to have a version of Vista that supports BitLocker, whether it is on or off. Enterpise and ultimate are the only versions that support BL, so they are the ones that need the KB which is prerequisite to SP1 install (because SP1 upgrades some bitlocker features). Never Trust Trustworthy computing. it hasn't earned it.
Comment removed based on user account deletion
This *may* be a corner case as most TPM's were shipped in the disabled state back when XP was still shipping.
Instead, how about testing the open source BIOS stack? Most of you have an unused box of recent vintage and I'm sure the projects can use the feedback.
FYI: An open sourced bios is an Achilles heel for Microsoft. Mobo OEM's will **jump** on a Free bios because it saves them money and elminating TPM saves them much more money.
Get involved!!
http://www.coreboot.org/Welcome_to_coreboot
http://openbios.info/Welcome_to_OpenBIOS
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
The ONLY flaw I see in the entire Vista/TPM system is that users don't seem to have a way of manually trusting things they genuinely want to trust. If it hasn't been blessed by MS its not trusted -- that's a fine policy for general users, but if I, as the hardware want to trust a specific bit of code (e.g. the linux boot loader) then I should be able to manually sign it somehow, and add my personal key to my personal install of Vista. And then the grub bootloader I signed will be trusted on my (and only my) PC.
All the 'chatter on the internets' is currently centered around how to disable UAC, how to disable driver signing, how to go back to running windows as insecurely as possible. i would prefer to see the discussion take a more intelligent direction -- how to obtain keys/certificates, how to add them to Vista's chain of trust on a per PC or per domain basis, and how how sign code with them.
Signed drivers are a FANTASTIC idea. not being able to sign drivers myself for my own hardware is EVIL. But MS --does-- have programs in place to let you sign code with 'development drivers' which are designed to only be valid on your PC... its just that most of the discussion surround the issue is how to disable it, and how evil MS for deciding what is blessed and what is not.
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
I have Vista Enterprise on a dual boot laptop with a TPM that I have never enabled. Installing SP1 did nothing adverse to the dual boot capability.
Linux with ntfs-3g has been supporting full read/write on ntfs for some time, and works out of the box on my ubuntu hardy machine anyways.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
Two words: filesystem support.
Boot up Linux and all the stuff on your NTFS partition is read-only.
What? You know, Linux has had full NTFS Read/Write support for a while now, see :
http://www.linux-ntfs.org/
Also, ever heard about WUBI ?
jdb2
Put windows on the first hard drive, then install linux on the second hard drive. Setup grub so it chainloads the windows boot record (for one of the options), and finally make your bios boot off the second hard drive.
Then Windows is happy and ignorant of its true surroundings.
Thats how my dualboot desktop at home is setup.
Just games? There are lots of people who run windows as their primary OS (because it's what they are used to after spending 15+ years on a MS platform, or maybe because there are apps they rely on that aren't available elsewhere), and they dual boot Linux because they want to be able to hack around, learn more, and generally have fun.
Taking an interest in Linux does not automatically mean somebody will abandon Windows the next morning.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Informative gives Karma but Funny doesn't. Therefore, people who appreciate the post and wish to give the user some karma will choose Informative.
If I read TFA correctly, you need to have been using your TPM to experience this problem?
I have not been using my TPM and I was scolded on Monday about not using TPS report coversheets. Are the two related?
Thanks, Peter Gibbons
When you explicitly check the MBR and have an infrastructure to stop your hardware from operating based on its check ... that's not a bug ;)
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Not at all....
Booting is handled by the EFI, and any operating system booted under the legacy BIOS emulation wouldn't be able to do a thing about it!
You know, I had to use that crack to get my copy of Vista reinstalled (all the partitions got wiped out, including the OEM one), because it refused to use my OEM key without the OEM partition, and simply wouldn't active. So, I had to crack my already-paid-for copy of Vista. Oh, sure, I could have gone and sent it back (to Acer, yeah right), or called Microsoft, but isn't it funny that I get a better "customer service experience" from cracked software?
Posting anonymous for the above reasons.
No, they just disagree who the owner is :)
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Its only in Vista Enterprise or Vista Ultimate, which support disk encryption.
Intron: the portion of DNA which expresses nothing useful.
Date of article you reference: October 13, 2006
Date of KB935509 update which breaks this: January 7, 2008
Intron: the portion of DNA which expresses nothing useful.
That's nice. The Windows idea of supporting it is "go look on technet" versus
the Linux version where it's already built-in and configuration is done for
you automatically.
This precisely the stupidity that Windows trolls like to accuse Linux of
subjecting the end user to.
A Pirate and a Puritan look the same on a balance sheet.
You do have a choice. The choice is called "turn off BitLocker". Inherently the BitLocker feature is worthless if it allows you to run an arbitrary bootloader.
Not at all true. Security isn't binary. Bitlocker alone will stop 99% of attackers who try to get at your data through physical access. The rest probably won't bother with a trojan bootloader--they'll either use rubber hose cryptanalysis or a hardware keylogger, depending upon how stealthy they want to be.
I don't see a problem with Bitlocker using TPM in this way at all. But it should allow me to disable the bootloader check if I so choose.
Probably?
Close enough for government work.
Too right, I just modded it informative too, and your post as well, so your ka... oh wait. whoops.
What if Tetris was invented by Nazis?
Informative gives Karma but Funny doesn't. Therefore, people who appreciate the post and wish to give the user some karma will choose Informative.
What I don't understand is why anyone would care... Slashdot Karma is competing with Kool-Aid Fun Points for score that has the least impact on my life.
The enemies of Democracy are
This should definitely be modded Informative.
I'm so excited I just made water in my pantaloons!
If you want karma, be informative rather than funny.
This comment is informative, not funny.
Question everything
Oh, well heh, I think modding someone funny for being funny is nice enough for a little o' that real life karma. :)
The enemies of Democracy are
So "informative" is the new "funny"?
Damn!
[...]they'll either use rubber hose cryptanalysis[...]
So that's just DoJ thugs coming to your house and whipping you with a rubber hose until you tell them the password, right?
I'm so glad we torture now. I feel so much safer knowing we've got that weapon at our disposal.
It's been a long time.
Never name a piece of spacegoing hardware anything that rhymes with "trouble".
Also, never trust any technology that rhymes with "busted".
The higher the technology, the sharper that two-edged sword.
You missed that thread above about how Informative is the new Funny. :)
If you believe everything you read, you'd better not read. - Japanese proverb
MOST Microsoft customers will be perfectly happy with that level of intrusive control, and won't even realize it's there. It's only that lunatic fringe that thinks that they actually *own* the computer that they paid money for, and want to dual-boot, that will realize that something is amiss at the Circle K.
The living have better things to do than to continue hating the dead.
Uh. Mods are now definitely literally on crack. Not behaving in an incomprehensible and unpredictable manner, they are putting the pipe to their lips and inhaling the smoke from burning crack cocaine.
Assume I was drunk when I posted this.
Why?
Uh. Mods are now definitely literally on crack. Not behaving in an incomprehensible and unpredictable manner, they are putting the pipe to their lips and inhaling the smoke from burning crack cocaine.
Name a better way to spend a Thursday morning with mod points in your account!