Second boot entry for bitlocked system
#1
Posted 21 June 2011 - 04:47 PM
I have the question if someone has added a boot entry of a bitlocked system into an other BCD store on an other drive.
I have a Win 7 computer with an encrypted system and data partition with bitlocker. The computer has a TPM built in and the system is configured for automatic decryption. So on power on the helper system in the boot partition is started, it detects TPM and not-tampered volumes, initiates the decryption and boots the main system.
Since this computer has a too small disk (it's a notebook) I quite often have a usb disk connected. This disk is also bootable and holds my Win 7 VHD test system. So I have set the boot priority to usb on the notebook and power it on with no usb drive attached. But quite often I forget to remove the usb disk and the computer starts to boot the external VHD system.
That's why I would like to add another entry in the BCD store on the usb disk that boots the main system on the built in disk. Is it possible to simply add the helper system in the BCD using bcdedit in the same manner as other common boot entries (and make it the default boot entry) or is there some more magic information necessary about the bitlocked system?
Many Greetings
MichaelZ
P.S. I know that the helper system doesn't like an attached usb disk and requires manual key entry or the key file from ufd.
#2
Posted 21 June 2011 - 05:16 PM
I doubt it can work the way you depicted it.That's why I would like to add another entry in the BCD store on the usb disk that boots the main system on the built in disk. Is it possible to simply add the helper system in the BCD using bcdedit in the same manner as other common boot entries (and make it the default boot entry) or is there some more magic information necessary about the bitlocked system?
Maybe you could have on the external USB disk grub4dos with a menu.lst entry that:
- exchanges drives order in BIOS
- chainloads the MBR of internal disk
What (meaning "directly BOOTMGR", grub4dos, NTLDR, Syslinux, etc.) does the USB disk currently boot?
It is possible to add the grldr.mbr to the BCD on the USB disk and from it attempt to boot the internal disk.
Wonko
#3
Posted 22 June 2011 - 07:06 AM
Thats a good idea, I will try that.Maybe you could have on the external USB disk grub4dos with a menu.lst entry that:
- exchanges drives order in BIOS
- chainloads the MBR of internal disk
What (meaning "directly BOOTMGR", grub4dos, NTLDR, Syslinux, etc.) does the USB disk currently boot?
"Directly BOOTMGR" was supposed to mean a MBR of NT60 type and bootmgr in the active partition.
I guess I will be back later when my fight with menu.lst isn't successful.
Many Greetings
MichaelZ
#4
Posted 22 June 2011 - 07:19 AM
Yes , so you can add the grldr.mbr to the BCD."Directly BOOTMGR" was supposed to mean a MBR of NT60 type and bootmgr in the active partition.
Boot should go like:
BIOS->USB is first disk/Internal is second->MBR on UBS->PBR on USB ->BOOTMGR on USB->grldr.mbr on USB->grldr on USB->menu.lst on USB->USB and internal are set in reversed order->MBR of Internal->bitlocker/whatever->PBR of INTernal->etc.,etc.
as opposed to (no USB disk connected) current:
BIOS->Internal is first disk->MBR on Internal->bitlocker/whatever->PBR on Internal->etc.,etc.
As always BEFORE writing a menu.lst entry, try on command line:
map (hd0) (hd1) map (hd1) (hd0) map --hook rootnoverify (hd0) chainloader +1 boot
Wonko
#5
Posted 22 June 2011 - 08:48 AM
In the mean time I read Diddy's tutorial, downloaded chenall's uptodate grub4dos and I was successful
This is the code I used
title Windows 7 interne Platte map (hd1) (hd0) map (hd0) (hd1) map --hook root (hd0,1) chainloader /bootmgr title Windows 7 externe Platte chainloader /bootmgrQuite interestingly root (hd0) gave an error about not being able to mount. It could be suppressed by rootnoverify but then the same error was one step later with chainloader /bootmgr. The command find /bootmgr showed that it is on (hd0,1) and using this as root lead to the success.
Many Greetings
MichaelZ
P.S. I have installed grldr as MBR, that was easier than adding grldr to BCD...
#6
Posted 22 June 2011 - 09:09 AM
Mystery solved. I just had a look at the partition layout. Should I have done this beforehand ???root (hd0,1)Quite interestingly root (hd0) gave an error about not being able to mount.
There is still the Dell diagnostic partition on the disk as first partition. I thought I had deleted it ages ago.
Many Greetings
MichaelZ
#7
Posted 22 June 2011 - 09:20 AM
The (hd0) is the WHOLE disk (and thus has NO filesystem you can "root" to).
Thus you use rootnoverify.
Then you should chainload the MBR, i.e.:
rootnoverify (hd0) chainloader +1
or:
chainloader (hd0)+1
It is NOT possible that you can chainload the bootmgr on the (encrypted) partition!
Unless of course I didn't get it.
Normally it's the MBR that initiates the decription.
Or, if you prefer, AFAIK/AFAICR the partition should be encrypted UNLESS and UNTIL it is booted through it's MBR and PBR, and there is NO "bootmgr" file visible in the filesystem.
I wonder HOW your system bitlocker is set.
If it is not as I presumed, any of:
root (hd0,1) chainloader +1
chainloader (hd0,1)+1
root (hd0,1) chainloader /bootmgr
chainloader (hd0,1)/bootmgr
find --set-root /bootmgr chainloader +1
find --set-root /bootmgr chainloader /bootmgrwill work.
Anyway, the main thing is that it works for you .
Wonko
#8
Posted 22 June 2011 - 10:21 AM
Thanks for explaining this syntax.The (hd0) is the WHOLE disk (and thus has NO filesystem you can "root" to).
rootnoverify (hd0) chainloader +1
I always thought that it is a recovery system that is first booted invisibly that does the health checking (correct TPM present and no foreign disks present, e.g. ufd) and if everything is correct it automatically unlocks the encrypted partitions or if modifications are detected it queries for the key(s) to unlock.Normally it's the MBR that initiates the decription.
Do you think that bootmgr can read TPM and USB ports?
The system has a NT60 MBR and following partitions, drive letters of booted system in paranthesis:I wonder HOW your system bitlocker is set.
Dell diagnostic partition (0xDE)
recovery partition (0x07, R:, NT60 BR)
system partition (0x07, bitlocked, C:)
extended partition (0x0F)
data partiton (0x07, bitlocked, D:)
a little unpartitioned space
The recovery partition is set as active in the MBR.
The BCD store contains following elements (many lines omitted):
Windows-Start-Manager---------------------Bezeichner {bootmgr}device partition=R:description Windows Boot Managerlocale de-DEdefault {current}displayorder {current} {afbf4d35-9cfa-11de-b439-001c238b2408} {572bcd55-ffa7-11d9-aae0-0007e994107d}Windows-Startladeprogramm-------------------------Bezeichner {current}device partition=C:path \Windows\system32\winload.exedescription Windows 7locale de-DEosdevice partition=C:Windows-Startladeprogramm-------------------------Bezeichner {afbf4d35-9cfa-11de-b439-001c238b2408}device ramdisk=[R:]\Recovery\afbf4d35-9cfa-11de-b439-001c238b2408\Winre.wim,{afbf4d36-9cfa-11de-b439-001c238b2408}path \windows\system32\winload.exedescription Windows 7 Recovery Environmentosdevice ramdisk=[R:]\Recovery\afbf4d35-9cfa-11de-b439-001c238b2408\Winre.wim,{afbf4d36-9cfa-11de-b439-001c238b2408}systemroot \windowswinpe YesWindows-Startladeprogramm-------------------------Bezeichner {572bcd55-ffa7-11d9-aae0-0007e994107d}device partition=R:path \Windows\System32\boot\winload.exedescription Windows Vista Recovery Environmentosdevice partition=R:systemroot \Windowswinpe Yes
There was a Windows Vista on the disk beforehand and I did not delete the Vista recovery system as it does not interfere with the Windows 7 recovery system and the Windows 7 setup left it that way. After installation (fresh install, no Vista update ofcourse...) I initialized the TPM and activated Windows 7 bitlocker.
So it's a good question: What happens after the MBR transfers control to the NT60 boot record in the recovery partition.
Many Greetings
MichaelZ
P.S. There is no codebox command anymore in this forum software?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users