[Bug 2144897] Re: GRUB chainloading Windows breaks BitLocker TPM PCR measurements

Mate Kukri 2144897 at bugs.launchpad.net
Fri Mar 20 11:08:18 UTC 2026 

You can just set BootNext from GRUB, you do not need to boot an entire
Linux initramfs to do that.

But this is not a bug, PCRs being different is an inherent property of
normal chainloading.

With that said we were looking into BootNext based dual booting prior
(without extra Linux images), so this _feature_ might still be
implemented at some point.

** Changed in: grub2 (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2144897

Title:
  GRUB chainloading Windows breaks BitLocker TPM PCR measurements

Status in grub2 package in Ubuntu:
  New

Bug description:
   When GRUB chainloads \EFI\Microsoft\Boot\bootmgfw.efi to boot Windows, the
   TPM PCR measurements are altered because GRUB is in the boot chain. This causes
   BitLocker to prompt for the recovery key on every boot via GRUB.
   .
   This affects all Ubuntu dual-boot setups with Windows + BitLocker on UEFI systems.
   .
   Workaround: I've developed a workaround that boots a minimal Linux kernel/initramfs
   which sets the UEFI BootNext variable via efibootmgr and immediately reboots. The
   firmware then boots Windows natively with correct TPM state. BitLocker is happy.
   The premount script runs before the LUKS prompt, so you never have to enter your
   Linux disk encryption password just to boot Windows.
   .
   See: https://gist.github.com/graingert/38d834a24a760d664b3f903ed48d6dca
   .
   Proposed solution: GRUB (or os-prober / 30_os-prober) should support setting
   EFI BootNext and triggering a reboot instead of chainloading. This would make
   dual-booting with BitLocker work out of the box without breaking TPM measurements.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: grub2-common 2.12-1ubuntu7.3
  ProcVersionSignature: Ubuntu 6.17.0-19.19~24.04.2-generic 6.17.13
  Uname: Linux 6.17.0-19-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3.8
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Mar 19 12:03:36 2026
  InstallationDate: Installed on 2022-07-23 (1335 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
  SourcePackage: grub2
  Title: GRUB chainloading Windows breaks BitLocker TPM PCR measurements
  UpgradeStatus: Upgraded to noble on 2024-09-12 (553 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2144897/+subscriptions

More information about the foundations-bugs mailing list