Jump to content











Photo
- - - - -

Second boot entry for bitlocked system


  • Please log in to reply
7 replies to this topic

#1 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 21 June 2011 - 04:47 PM

Hi everyone,

I have the question if someone has added a boot entry of a bitlocked system into an other BCD store on an other drive.

I have a Win 7 computer with an encrypted system and data partition with bitlocker. The computer has a TPM built in and the system is configured for automatic decryption. So on power on the helper system in the boot partition is started, it detects TPM and not-tampered volumes, initiates the decryption and boots the main system.

Since this computer has a too small disk (it's a notebook) I quite often have a usb disk connected. This disk is also bootable and holds my Win 7 VHD test system. So I have set the boot priority to usb on the notebook and power it on with no usb drive attached. But quite often I forget to remove the usb disk and the computer starts to boot the external VHD system.

That's why I would like to add another entry in the BCD store on the usb disk that boots the main system on the built in disk. Is it possible to simply add the helper system in the BCD using bcdedit in the same manner as other common boot entries (and make it the default boot entry) or is there some more magic information necessary about the bitlocked system?

Many Greetings
MichaelZ

P.S. I know that the helper system doesn't like an attached usb disk and requires manual key entry or the key file from ufd.

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15464 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 June 2011 - 05:16 PM

That's why I would like to add another entry in the BCD store on the usb disk that boots the main system on the built in disk. Is it possible to simply add the helper system in the BCD using bcdedit in the same manner as other common boot entries (and make it the default boot entry) or is there some more magic information necessary about the bitlocked system?

I doubt it can work the way you depicted it. :blink:

Maybe you could have on the external USB disk grub4dos with a menu.lst entry that:
  • exchanges drives order in BIOS
  • chainloads the MBR of internal disk

What (meaning "directly BOOTMGR", grub4dos, NTLDR, Syslinux, etc.) does the USB disk currently boot?
It is possible to add the grldr.mbr to the BCD on the USB disk and from it attempt to boot the internal disk.

:thumbup:
Wonko

#3 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 22 June 2011 - 07:06 AM

Maybe you could have on the external USB disk grub4dos with a menu.lst entry that:

  • exchanges drives order in BIOS
  • chainloads the MBR of internal disk

Thats a good idea, I will try that.

What (meaning "directly BOOTMGR", grub4dos, NTLDR, Syslinux, etc.) does the USB disk currently boot?


"Directly BOOTMGR" was supposed to mean a MBR of NT60 type and bootmgr in the active partition.

I guess I will be back later when my fight with menu.lst isn't successful.

Many Greetings
MichaelZ

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15464 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 June 2011 - 07:19 AM

"Directly BOOTMGR" was supposed to mean a MBR of NT60 type and bootmgr in the active partition.

Yes :1st:, so you can add the grldr.mbr to the BCD.
Boot should go like:
BIOS->USB is first disk/Internal is second->MBR on UBS->PBR on USB ->BOOTMGR on USB->grldr.mbr on USB->grldr on USB->menu.lst on USB->USB and internal are set in reversed order->MBR of Internal->bitlocker/whatever->PBR of INTernal->etc.,etc.
as opposed to (no USB disk connected) current:
BIOS->Internal is first disk->MBR on Internal->bitlocker/whatever->PBR on Internal->etc.,etc.

As always BEFORE writing a menu.lst entry, try on command line:
map (hd0) (hd1)

map (hd1) (hd0)

map --hook

rootnoverify (hd0)

chainloader +1

boot


:cheers:
Wonko

#5 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 22 June 2011 - 08:48 AM

Have many thanks, Wonko.
In the mean time I read Diddy's tutorial, downloaded chenall's uptodate grub4dos and I was successful :1st:

This is the code I used

title Windows 7 interne Platte

map (hd1) (hd0)

map (hd0) (hd1)

map --hook

root (hd0,1)

chainloader /bootmgr



title Windows 7 externe Platte

chainloader /bootmgr

Quite interestingly root (hd0) gave an error about not being able to mount. It could be suppressed by rootnoverify but then the same error was one step later with chainloader /bootmgr. The command find /bootmgr showed that it is on (hd0,1) and using this as root lead to the success.

Many Greetings
MichaelZ


P.S. I have installed grldr as MBR, that was easier than adding grldr to BCD...

#6 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 22 June 2011 - 09:09 AM


root (hd0,1)

Quite interestingly root (hd0) gave an error about not being able to mount.

Mystery solved. I just had a look at the partition layout. Should I have done this beforehand ??? :1st:
There is still the Dell diagnostic partition on the disk as first partition. I thought I had deleted it ages ago.

Many Greetings
MichaelZ

#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15464 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 June 2011 - 09:20 AM

NO, you CANNOT root to a WHOLE (partitioned) disk.

The (hd0) is the WHOLE disk (and thus has NO filesystem you can "root" to).

Thus you use rootnoverify.

Then you should chainload the MBR, i.e.:

rootnoverify (hd0)

chainloader +1

or:
chainloader (hd0)+1

It is NOT possible that you can chainload the bootmgr on the (encrypted) partition! :)

Unless of course I didn't get it. :cheers:

Normally it's the MBR that initiates the decription. :1st:

Or, if you prefer, AFAIK/AFAICR the partition should be encrypted UNLESS and UNTIL it is booted through it's MBR and PBR, and there is NO "bootmgr" file visible in the filesystem.

I wonder HOW your system bitlocker is set.

If it is not as I presumed, any of:
root (hd0,1)

chainloader +1

chainloader (hd0,1)+1
root (hd0,1)

chainloader /bootmgr

chainloader (hd0,1)/bootmgr
find --set-root /bootmgr

chainloader +1
find --set-root /bootmgr

chainloader /bootmgr
will work.

Anyway, the main thing is that it works for you :cheers:.

:unsure:
Wonko

#8 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 333 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 22 June 2011 - 10:21 AM

The (hd0) is the WHOLE disk (and thus has NO filesystem you can "root" to).

rootnoverify (hd0)

chainloader +1

Thanks for explaining this syntax.

Normally it's the MBR that initiates the decription. :dubbio:

I always thought that it is a recovery system that is first booted invisibly that does the health checking (correct TPM present and no foreign disks present, e.g. ufd) and if everything is correct it automatically unlocks the encrypted partitions or if modifications are detected it queries for the key(s) to unlock.
Do you think that bootmgr can read TPM and USB ports?

I wonder HOW your system bitlocker is set.

The system has a NT60 MBR and following partitions, drive letters of booted system in paranthesis:

Dell diagnostic partition (0xDE)
recovery partition (0x07, R:, NT60 BR)
system partition (0x07, bitlocked, C:)
extended partition (0x0F)
data partiton (0x07, bitlocked, D:)
a little unpartitioned space

The recovery partition is set as active in the MBR.

The BCD store contains following elements (many lines omitted):

Windows-Start-Manager---------------------Bezeichner              {bootmgr}device                  partition=R:description             Windows Boot Managerlocale                  de-DEdefault                 {current}displayorder            {current}                        {afbf4d35-9cfa-11de-b439-001c238b2408}                        {572bcd55-ffa7-11d9-aae0-0007e994107d}Windows-Startladeprogramm-------------------------Bezeichner              {current}device                  partition=C:path                    \Windows\system32\winload.exedescription             Windows 7locale                  de-DEosdevice                partition=C:Windows-Startladeprogramm-------------------------Bezeichner              {afbf4d35-9cfa-11de-b439-001c238b2408}device                  ramdisk=[R:]\Recovery\afbf4d35-9cfa-11de-b439-001c238b2408\Winre.wim,{afbf4d36-9cfa-11de-b439-001c238b2408}path                    \windows\system32\winload.exedescription             Windows 7 Recovery Environmentosdevice                ramdisk=[R:]\Recovery\afbf4d35-9cfa-11de-b439-001c238b2408\Winre.wim,{afbf4d36-9cfa-11de-b439-001c238b2408}systemroot              \windowswinpe                   YesWindows-Startladeprogramm-------------------------Bezeichner              {572bcd55-ffa7-11d9-aae0-0007e994107d}device                  partition=R:path                    \Windows\System32\boot\winload.exedescription             Windows Vista Recovery Environmentosdevice                partition=R:systemroot              \Windowswinpe                   Yes

There was a Windows Vista on the disk beforehand and I did not delete the Vista recovery system as it does not interfere with the Windows 7 recovery system and the Windows 7 setup left it that way. After installation (fresh install, no Vista update ofcourse...) I initialized the TPM and activated Windows 7 bitlocker.

So it's a good question: What happens after the MBR transfers control to the NT60 boot record in the recovery partition.

Many Greetings
MichaelZ

P.S. There is no codebox command anymore in this forum software?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users