What is the impact of deactivating the PCR 4 "Boot manager" from my Bitlocker Group Policy

What is the impact of deactivating the PCR 4 "Boot manager" from my Bitlocker Group Policy

Due to a problem with my dual boot setup (Windows 11 Pro and Linux Mint), I needed to deactivate the PCR 4 from the Bitlocker Group Policies in order to not type in my Bitlocker recovery password every time I log into Windows.

More information on it can be found here, BitLocker group policy settings, at the "Configure TPM platform validation profile for native UEFI firmware configurations" part.

As for my dual boot setup, it is this one, [SOLVED] Dual booting Mint on a second drive independently, but with both drive encrypted with Bitlocker and LVM + LUKS for Linux Mint

The encryption guide I followed, Dual Booting Ubuntu With Windows 10 Pro With BitLocker Encryption.

What is going to be the impact in terms of security? I also needed to deactivate the PCR 7 "Secure Boot" to enable a dual boot setup, can you explain to me what this implies as well? What kind of attacks can still be used?

I just wanted to prevent my data from being recovered by some random coffeeshop thief, so I won't expect much security issues, I'm just generally interested in understanding how all of this is working. But the documentation isn't clear and I can't seem to find more informations on this. I think I might be the only one dumb enough to do that kind of setup.

Anyway, thanks in advance and have a great day !

答案1

PCR 4 is the register that logs the exact hashes of all *.efi files involved in the boot process. Meanwhile, PCR 7 is the register that logs which CA certificates were used to validate Secure Boot signatures (e.g. it can distinguish "Windows CA" from "UEFI Third-party CA").

(Compare PCR 4 to ssh/known_hosts which remembers exact keys, and PCR 7 to web browsers which use CA certificates.)

The impact of disabling both PCR 4 and PCR 7 is that anyone will be able to swap the legitimate Windows bootloader with a "customized" version that gets the BitLocker key from your TPM as usual and then gives it to the attacker (allowing the disk to be decrypted), with relatively little difficulty.

It's probably still beyond the level of "yoink, wipe, and sell" thieves, but not something I'd trust with sensitive data.

Dual-boot with BitLocker doesn't require disabling either of those as long as you select Windows/Linux directly through the firmware boot menu (i.e. not starting Windows via GRUB).

相关内容