Windows 11 TPM dual boot

windows multi-boot dualboot windows-11
5,516

Solution 1

Anything you dual boot with has to support Secure Boot, UEFI and TPM. It is most likely a non-starter for most dual boot scenarios.

Many of the dual boot questions that come up here and elsewhere are older and require non-UEFI, and disabled Secure boot which are not going to work with Windows 11

It is still new at this point, but I expect stiff requirements will remain. That is to say, anything that does not support Windows 11 basic requirements (Secure Boot and UEFI) will not work. That means a number of current setups with looser requirements will not work in Windows 11.

Virtual Machines will be a much more likely way to run multiple machines with Windows 11.

Solution 2

The TPM is a passive component; it does not get involved in the boot process on its own, unless an OS (or a bootloader) specifically tries to interact with it. You can dual-boot an OS even if it doesn't have any support for the TPM.

That said, if you want to use use the TPM from Linux, you can still do so even if it was initialized by Windows.

Windows initializes the TPM2 using a random "owner password" that it throws away... but the fact that it immediately throws away the password just tells you that you don't need it for normal operation.

For example, the RSA "storage root key" is initialized in a standard way at 0x81000001 and can be used from any OS, including Linux. (Some tools, such as systemd-cryptenroll, will just ignore it and generate an ECDSA root key instead.)

(If necessary, you can still convince Windows to store the owner password in the Registry, although obviously you can't recover the one that was thrown away, so this requires re-initializing the TPM.)

Currently the only limitation is that you cannot use the high-level FAPI tools in Linux tpm2-tss, but that is really not a big loss; almost everything builds on the "raw" EAPI anyway.

On the other hand, the Secure Boot feature can cause some trouble. You should still be able to use Linux distributions like Fedora or Ubuntu which have official support for it (they have Microsoft-signed bootloaders).

With some tinkering, you should be able to use the Microsoft-signed Shim to boot just about anything that supports UEFI. (It's kind of a loophole, as Shim just prompts you to authorize unknown .efi files by their hash.)

Secure Boot on x86 systems also allows you to set up your own signing keys alongside the Microsoft keys. This can get quite complicated, but nevertheless completely possible to have a Linux kernel or another .efi file be fully validated by your firmware's Secure Boot.

Solution 3

There's been a lot of misinformation in press articles about the secure boot requirement. To install and run Windows 11, your machine is required to be "Secure Boot capable", and does not have to have Secure Boot enabled. To be "Secure Boot capable" really just means that the system is booting via UEFI, not legacy BIOS/CSM.

(Technically Secure Boot was added to the UEFI spec in 2.3.1 Errata C released in 2012; I imagine almost every consumer motherboard released in the last 5+ years is Secure Boot capable. )

TPM 2.0 must also be enabled for Windows 11, but as mentioned in another answer, that does not prevent other OSes from running like Secure Boot being enabled can.

I verified Windows 11 does not require Secure Boot be enabled by installing and running it in a Hyper-V VM. Windows 11 installs happily on a Hyper-V UEFI system with Secure Boot disabled.

See https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements (note it says "UEFI, Secure Boot capable"), and https://support.microsoft.com/en-us/topic/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad (makes explicitly clear that Secure Boot need not be enabled).

Share:
5,516

Related videos on Youtube

Abdelhakim AKODADI
Author by

Abdelhakim AKODADI

Updated on September 18, 2022

Comments

  • Abdelhakim AKODADI
    Abdelhakim AKODADI over 1 year

    Does the fact that Windows 11 requires TPM and Secure Boot mean that we can no longer have a dual boot setup with let say Linux for example?

    • Ramhound
      Ramhound almost 3 years
      Ubuntu (Debian) and RHEL (Fedora) both support Secure Boot. It's impossible at this time to indicate what the final version of Windows 11 will allow. Microsoft's own documentation indicates that there will be exceptions to the Secure Boot requirement, specifically, in the case of custom Windows 11 images. There are currently registry keys that disable the Secure Boot requirement. I am not sure how TPM relates to booting multiple operating systems though Strictly speaking, provided you shim a valid certificate, you will be able to boot into Linux and Windows 11.
    • Ramhound
      Ramhound almost 3 years
      Bottom line: Secure Boot being required is an easy problem to solve depending on the Linux distribution you want to use. Linux communities have had a better part of decade to address the Secure Boot support. I personally welcome the requirement.
    • Ramhound
      Ramhound about 2 years
      @OlivierPons - Ok? I find WIndows perfectly stable. Why are you telling me about your issues with Windows 11? That has nothing to do with the author's question.
    • Wermerb
      Wermerb about 2 years
      I misunderstood the question: I thought it was like "Windows 11 requires TPM implies we wont be able to use Linux (= have a dual boot)". If so, I think what I wrote was an adequate comment. Of course it has been removed. But it can't be removed from my own site, and from what I explain to all my students, because I dont think if the answer is "yes" to this question, this is a good thing.
  • Ramhound
    Ramhound almost 3 years
    I suspect Microsoft will point to the fact every Windows 11 compatible machine also supports WSL2. Since every edition of Windows 11 will support WSL2. By the point Windows 11 is released, WSL2 will also support Linux applications, with a GUI. There might be a point where multiple operating systems on a machine are not even required. Of course the major distributions already support Secure Boot (Debian, Fedora) both support it and (Grub and REfind) also support it. It's still to early to conclude it will be possible or even difficult with the final release of Windows 11.
  • gronostaj
    gronostaj almost 3 years
    Correct me if I'm wrong, but won't Secure Boot learn the One True Boot Sequence and enforce it? So if it's configured by Windows to trust Windows boot, any secondary OS (even another Windows instance) will automatically not match what SB expects?
  • user1686
    user1686 almost 3 years
    @gronostaj: No, there is no such thing at all. Secure Boot has no learning and allows anything that passes digital signature verification. You might be thinking of what BitLocker does using the TPM (either in combination with Secure Boot or without), where the BitLocker key is sealed against a particular boot sequence (I also have a similar setup on Linux with LUKS), but the result of changing the boot sequence in that case is merely that the system shows a passphrase prompt instead of magically unlocking, and of course Linux isn't even going to worry about Windows' BitLocker to begin with.
  • Fallacy11
    Fallacy11 over 2 years
    Great, then they should have full compatibility for all features they are stripping away if dualboot isn't possible anymore. Systemd doesn't function out of the box, requires a bit of hacking to get going just to run snaps which is how many applications are releasing now if you need a package manager.
  • aggieNick02
    aggieNick02 over 2 years
    It turns out SecureBoot does not have to be enabled, just supported. This is a big difference and makes dual-booting much more doable. In general any OS that can be booted via UEFI can be dual-booted with windows 11.
  • aggieNick02
    aggieNick02 over 2 years
    It turns out SecureBoot does not have to be enabled, just supported. This is a big difference and makes dual-booting much more doable. In general any OS that can be booted via UEFI can be dual-booted with windows 11.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how to install pop!_os alongside windows
What are the compatible versions of Flutter and Android Studio with Windows 11?
how to remove WINDOW OS from another drive?
Deleted Linux Partition and now Grub Rescue Shows Up
Dual boot Windows and Linux: How to avoid hardware damage?
Is it possible to install Windows 10 on an Android device?
Is it legal to run windows on a mac?
Dual Boot TrueCrypt Encrypted Windows and Linux with Grub workaround?
How to triple boot Windows XP, Ubuntu 9.10 and Windows 7
Dual booting Windows and Arch Linux (with GRUB2) - after using Windows, Windows Boot Manager made first in boot priority list