[Bug 2144897] Re: GRUB chainloading Windows breaks BitLocker TPM PCR measurements

graingert 2144897 at bugs.launchpad.net
Fri Mar 20 15:05:03 UTC 2026 

I tried making a custom grub module but insmod is disabled on signed secure
boot grub

Thomas Grainger

On Fri, 20 Mar 2026, 11:50 graingert, <2144897 at bugs.launchpad.net>
wrote:

> How can I see BootNext from grub without booting an entire Linux
> initramfs?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2144897
>
> Title:
>   GRUB chainloading Windows breaks BitLocker TPM PCR measurements
>
> Status in grub2 package in Ubuntu:
>   New
>
> Bug description:
>    When GRUB chainloads \EFI\Microsoft\Boot\bootmgfw.efi to boot Windows,
> the
>    TPM PCR measurements are altered because GRUB is in the boot chain.
> This causes
>    BitLocker to prompt for the recovery key on every boot via GRUB.
>    .
>    This affects all Ubuntu dual-boot setups with Windows + BitLocker on
> UEFI systems.
>    .
>    Workaround: I've developed a workaround that boots a minimal Linux
> kernel/initramfs
>    which sets the UEFI BootNext variable via efibootmgr and immediately
> reboots. The
>    firmware then boots Windows natively with correct TPM state. BitLocker
> is happy.
>    The premount script runs before the LUKS prompt, so you never have to
> enter your
>    Linux disk encryption password just to boot Windows.
>    .
>    See: https://gist.github.com/graingert/38d834a24a760d664b3f903ed48d6dca
>    .
>    Proposed solution: GRUB (or os-prober / 30_os-prober) should support
> setting
>    EFI BootNext and triggering a reboot instead of chainloading. This
> would make
>    dual-booting with BitLocker work out of the box without breaking TPM
> measurements.
>
>   ProblemType: Bug
>   DistroRelease: Ubuntu 24.04
>   Package: grub2-common 2.12-1ubuntu7.3
>   ProcVersionSignature: Ubuntu 6.17.0-19.19~24.04.2-generic 6.17.13
>   Uname: Linux 6.17.0-19-generic x86_64
>   ApportVersion: 2.28.1-0ubuntu3.8
>   Architecture: amd64
>   CasperMD5CheckResult: pass
>   CurrentDesktop: ubuntu:GNOME
>   Date: Thu Mar 19 12:03:36 2026
>   InstallationDate: Installed on 2022-07-23 (1335 days ago)
>   InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64
> (20220419)
>   SourcePackage: grub2
>   Title: GRUB chainloading Windows breaks BitLocker TPM PCR measurements
>   UpgradeStatus: Upgraded to noble on 2024-09-12 (553 days ago)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2144897/+subscriptions
>
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2144897

Title:
  GRUB chainloading Windows breaks BitLocker TPM PCR measurements

Status in grub2 package in Ubuntu:
  New

Bug description:
   When GRUB chainloads \EFI\Microsoft\Boot\bootmgfw.efi to boot Windows, the
   TPM PCR measurements are altered because GRUB is in the boot chain. This causes
   BitLocker to prompt for the recovery key on every boot via GRUB.
   .
   This affects all Ubuntu dual-boot setups with Windows + BitLocker on UEFI systems.
   .
   Workaround: I've developed a workaround that boots a minimal Linux kernel/initramfs
   which sets the UEFI BootNext variable via efibootmgr and immediately reboots. The
   firmware then boots Windows natively with correct TPM state. BitLocker is happy.
   The premount script runs before the LUKS prompt, so you never have to enter your
   Linux disk encryption password just to boot Windows.
   .
   See: https://gist.github.com/graingert/38d834a24a760d664b3f903ed48d6dca
   .
   Proposed solution: GRUB (or os-prober / 30_os-prober) should support setting
   EFI BootNext and triggering a reboot instead of chainloading. This would make
   dual-booting with BitLocker work out of the box without breaking TPM measurements.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: grub2-common 2.12-1ubuntu7.3
  ProcVersionSignature: Ubuntu 6.17.0-19.19~24.04.2-generic 6.17.13
  Uname: Linux 6.17.0-19-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3.8
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Mar 19 12:03:36 2026
  InstallationDate: Installed on 2022-07-23 (1335 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
  SourcePackage: grub2
  Title: GRUB chainloading Windows breaks BitLocker TPM PCR measurements
  UpgradeStatus: Upgraded to noble on 2024-09-12 (553 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2144897/+subscriptions

More information about the foundations-bugs mailing list