Jan 052010

Using Vista’s Boot Manager to Boot Linux and Dual Booting with BitLocker Protection with TPM Support by MichaelF on October 13, 2006 05:57PM

Today we are introducing Cyril Voisin, Security Advisor for Microsoft in France where he has worked for 9 years. Cyril is a CISSP (Certified Information Security Systems Professional) and along with his work at Microsoft also teaches systems and network security in local schools as time allows. Cyril has started a blog, primarily focused on security (exact blog intent can be seen here) but occasionally dealing with interoperability as it relates to security.

Cyril has given us permission to syndicate his content on Port 25, the first example is below. Please feel free to post any questions or clarifications below or on Cyril’s blog.

We welcome Cyril to Port 25 and look forward to featuring his work and insight in the future.



How to use Windows Vista’s Boot Manager to boot Linux

The Web is full of explanations on how to dual boot Windows and Linux using a Linux boot manager like GRUB or LILO. If you want to dual boot Windows Vista and Linux using Windows Vista’s Boot Manager, please read on. I will assume that you already have installed Linux on your machine using GRUB as your boot loader.

Step 1 – Install GRUB on the Linux partition (outside of MBR)

As Windows Vista will replace the Master Boot Record (MBR) with its own, we need to relocate GRUB elsewhere by running grub-install with the Linux partition as a parameter.

• On Linux, launch a Terminal with root privileges

• Find the name of the partition Linux is installed on by running fdisk –l (the partition you’re looking for is the one whose system is Linux, can be something like /dev/sda1 or /dev/hda1. For the rest of this post, I’ll use /dev/sda1)

• Install GRUB on the Linux partition by running : grub-install /dev/sda1

Step 2 – Get a copy of Linux boot sector

We will need to instruct Windows Boot Manager how to boot correctly Linux using Linux boot sector, which we will extract using dd.

• On Linux, launch a Terminal with root privileges

• Take a copy of Linux boot sector : dd if=/dev/sda1 of=/tmp/linux.bin bs=512 count=1

• Copy linux.bin on a FAT formatted USB key or any storage accessible from Windows Vista

Step 3 – Install Windows Vista

Step 4 – Configure dual booting in Windows Vista

We will create an entry for GRUB in Windows Vista boot configuration data store using bcdedit.

• On Windows Vista, launch a command prompt with administrative privileges (by right clicking on cmd and choosing Run as Administrator)

• Copy Linux boot sector on the root of the Windows boot (active) partition, namely the one containing bootmgr. If you don’t know for sure you can use diskpart or diskmgmt.msc to find out which one it is.

• Create an entry for GRUB :

o bcdedit /create /d “GRUB” /application BOOTSECTOR

o Note: bcdedit will return an ID for this entry that we will call {LinuxID} below. You will need to replace {LinuxID} by the returned identifier in this step. An example of {LinuxID} is {81ed7925-47ee-11db-bd26-cbb4e160eb27}

• Specify which device hosts a copy of the Linux boot sector

o bcdedit /set {LinuxID} device boot

• Specify the path to a copy of the Linux boot sector

o bcdedit /set {LinuxID} PATH \linux.bin

• Add Linux entry to the displayed menu at boot time

o bcdedit /displayorder {LinuxID} /addlast

• Let the menu be displayed 10 seconds to allow for OS selection

o bcdedit /timeout 10

Building a dual boot system with Windows Vista BitLocker protection with TPM support

Many people have wondered if it would be possible to dual boot a TPM-bitlockered instance of Windows Vista with Linux, or another OS. The answer is yes and the following procedure will hopefully help you setup your machine correctly.

Some (simplified) background on Bitlocker:

Bitlocker Drive Encryption allows encryption of Windows Vista’s partition and provides a secure startup process when in use with a TPM (a crypto chip on the motherboard). Basically the BIOS, the TPM, the MBR and the boot sector will collaborate to help verify that there was no modification to the boot sequence since Bitlocker was activated. This is done by using a function of the TPM to compute and store a hash of the code before executing it, at each of the initial steps of the boot sequence. Different hashes will be computed and stored in specific registers of the TPM. Then Windows Vista will ask the TPM to unseal its volume encryption key and the TPM will only provide this key if its registers are correctly set. Therefore if you replace Windows Vista’s MBR by a MBR that is not TPM aware, it won’t hash the boot sector before executing it and a register in the TPM won’t be populated. Same with the boot sector. Therefore Bitlocker will simply refuse to be enabled.

The underlying idea here is to have Bitlocker enabled with the original Windows Vista boot files. Another possibility would be to use a TPM-aware version of GRUB. However this would imply using files in the boot sequence that were not tested by Microsoft, which I would not recommend. Moreover, using original Windows Vista files offers you the benefits of code that went through the Security Development Lifecycle, which I personally find very valuable.

Note: I assume that you have a Bitlocker compatible machine (including TPM 1.2, TCG BIOS). See http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_require

Step 1 – Install Linux

Note: be sure to leave enough unpartitioned space for Windows Vista: about 11 GB of free unpartitioned space and slots for 2 partitions are needed

Step 2 – Install GRUB on the Linux partition (outside of MBR)

See other post “How to use Windows Vista’s Boot Manager to boot Linux”

Step 3 – Get a copy of Linux boot sector

See other post “How to use Windows Vista’s Boot Manager to boot Linux”

Step 4 – Create partitions for Windows Vista

We need to create 2 primary NTFS formatted partitions on the disk: one active, 1.5GB size minimum and another larger (all the rest for instance with a minimum of 8.5GB). The former will be used to boot the machine (active partition) and will remain unencrypted while the latter will host Windows Vista and will be encrypted when we activate Bitlocker.

You can use diskpart tool to do this (available from Repair options on the Windows Vista DVD). Here is what the instructions may look like :

· select disk 1

· create partition primary size=2048

· active

· create partition primary

Step 5 – Install Windows Vista

Install Windows Vista on the largest NTFS partition.

Step 6 – Set up Windows Vista Boot Manager to boot Linux

See other post “How to use Windows Vista’s Boot Manager to boot Linux”.

Step 7 – Enable BitLocker on Windows Vista

See BitLocker documentation, like http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_S3

Email Digg It! Del.icio.us SlashDot It!
Comments RSS

Blog Team TechNet Italia said:

E’ una domanda che mi fanno molte persone ogni volta che parlo di BitLocker. Ora su Port25 c’è un buon
posted at 07:27AM 10/17/2006
Off Campus said:

Last weekend I spun up a dual boot environment with Ubuntu and Vista. It worked find even with BitLocker
posted at 10:14AM 03/10/2007
medor said:

Very good tuto, I did it painlessly on a laptop with Vista Pro pre-installed to boot Mandriva : Vista will boot Grub, and Grub will boot Vista, no problem.

So I figured I’d do it on an Asus Pundit barebone where, through a Microsoft Partner Program, I have installed a “Vista Upgrade Business” (some kind of Vista Pro).

Well, guess what : This Vista, everytime it’s run, will reset the boot partition to its own. Not only that, but it will always boot directly, without the boot loader.

I’ve checked just about everything, missing files, etc, etc.
posted at 11:18AM 10/26/2007
TechNet Blog CZ/SK said:

Security Microsoft and Novell Open Interoperability Lab http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx
posted at 07:27AM 12/01/2007
Josh Kline said:

This works exactly as advertised. I installed Ubuntu with Grub installed on its installation partition (I used manual partitioning, picked my partition, and in the advanced section, specified that Grub should go on that same partition) after already having installed XP and Vista and using the Vista boot manager. I then used the Ubuntu live cd and used “sudo dd if=/…” from above, and placed that in my active partition (my XP installation) as described. This was the best solution that I found for Windows users who don’t want to go through Grub to get to the windows boot manager.
posted at 09:58PM 07/26/2008
Bala said:

Thanks. Brilliant steps that worked just spot on.

Would like to add the following in the interest of others who may be in a similar situation as I was…

a) I bought a new Dell Laptop that came with Vista installed already.

b) Installed Fedora Core 9. This obviously put the GRUB on the MBR.

c) Followed the steps 1 and 2 above of “How to use Windows Vista’s Boot Manager to boot Linux”

d) Instead of step3, went to the ‘Command Prompt’ thru ‘Windows Repair Option’ (by booting the system with the Vista CD). Ran Bootrec.exe /FixMBR. Then followed the remaining steps as above.

Now my laptop dual boots nicely between Vista and Fedora-c9

Thanks again for providing such a clear guidance.

posted at 07:59AM 10/12/2008
Meowmeowz said:

Теперь этот форум принадлежит мне. Все вопросы и предложения рассматриваются в icq 477345812
posted at 04:54AM 10/20/2008
Sidney said:

Thank you so much for this info! I was trying to use ReadyDriver Plus 1.1 in order to work around MS driver enforcement but it doesn’t work correctly with Ubuntu’s boot loader. With this I was able to use Vista’s boot loader which allowed the option of Ubuntu or Vista with ext2 file system drivers.
posted at 07:39PM 12/15/2008
erict said:

I was only able to get this to work when I changed

bcdedit /set {LinuxID} device boot


bcdedit /set {LinuxID} device partition=C:

Thanks for the info!!
posted at 01:25AM 12/20/2008
cwxwwwxwwxwx said:

well, hi admin adn people nice forum indeed. how’s life? hope it’s introduce branch ;)
posted at 07:02AM 12/23/2008