sd-boot: disable bitlocker reboot feature for now

Conceptually the feature is great and should exist, but in its current
form should be worked to be generic (i.e. not specific to
Windows/Bitlocker, but appliable to any boot entry), not be global (but
be a per-entry thing), not require a BootXXXX entry to exist, and not
check for the BitLocker signature (as TPMs are not just used for
BitLocker).

Since we want to get 251 released, mark it in the documentation, in NEWS
and in code as experimental and make clear it will be reworked in a
future release. Also, make it opt-in to make it less likely people come
to rely on it without reading up on it, and understanding that it will
likely change sooner or later.

Follow-up for: #22043
See: #22390

diff --git a/NEWS b/NEWS
index 248cc0fdb40a239414f6020c4a5f48e46009f254..df729dc7696db1c19bfe80842312f91b733cc125 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -52,6 +52,17 @@ CHANGES WITH 251:
           or ID field of /etc/os-release or another suitable identifier before
           deploying the image.
 
+        * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
+          loader.conf that implements booting Microsoft Windows from the
+          sd-boot in a way that first reboots the system, to reset the TPM
+          PCRs. This improves compatibility with BitLocker's TPM use, as the
+          PCRs will only record the Windows boot process, and not sd-boot
+          itself, thus retaining the PCR measurements not involving
+          sd-boot. Note that this feature is experimental for now, and is
+          likely going to be generalized, renamed and removed in its current
+          form in a future release, without retaining compatibility with its
+          current implementation.
+
         * The --make-machine-id-directory= switch to bootctl has been replaced
           by --make-entry-directory=, given that the entry directory is not
           necessarily named after the machine ID, but after some other suitable

diff --git a/man/loader.conf.xml b/man/loader.conf.xml
index caff44aa1e6ab9722f32649bf7be5c794cfc003e..e5453c7dcd60c5c68066aaeffa69c3ae117a3346 100644 (file)
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -206,8 +206,11 @@
       <varlistentry>
         <term>reboot-for-bitlocker</term>
 
-        <listitem><para>Work around BitLocker requiring a recovery key when the boot loader was
-        updated (enabled by default).</para>
+        <listitem><para>Caveat: This feature is experimental, and is likely to be changed (or removed in its
+        current form) in a future version of systemd.</para>
+
+        <para>Work around BitLocker requiring a recovery key when the boot loader was
+        updated (disabled by default).</para>
 
         <para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found
         and Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal>

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index f6706c68fcb4ef36c9020b67d41ad3943f8bfab3..82954ddac1f6b2b70ce0f11e75d0449acebe0203 100644 (file)
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -1549,7 +1549,7 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
                 .editor = TRUE,
                 .auto_entries = TRUE,
                 .auto_firmware = TRUE,
-                .reboot_for_bitlocker = TRUE,
+                .reboot_for_bitlocker = FALSE,
                 .random_seed_mode = RANDOM_SEED_WITH_SYSTEM_TOKEN,
                 .idx_default_efivar = IDX_INVALID,
                 .console_mode = CONSOLE_MODE_KEEP,
@@ -1983,6 +1983,9 @@ static EFI_STATUS boot_windows_bitlocker(void) {
         UINTN n_handles;
         EFI_STATUS err;
 
+        // FIXME: Experimental for now. Should be generalized, and become a per-entry option that can be
+        // enabled independently of BitLocker, and without a BootXXXX entry pre-existing.
+
         /* BitLocker key cannot be sealed without a TPM present. */
         if (!tpm_present())
                 return EFI_NOT_FOUND;