Windows dual boot documentation?

[pshirshov]

It seems like it's currently impossible to configure a host for dual-boot in declarative manner.

Maybe I'm wrong, but from what I can see one has to manually sign the ed2k shell and add a regular entry through boot.loader.systemd-boot.windows.

It would be awesome to have some blessed approach to dual boot described in the docs.

[RaitoBezarius]

I think you only need to keep Microsoft keys and let systemd-boot know about Windows via the magic reboot into Windows option and that's it?

You don't need to do anything and you must not boot Windows via systemd-boot otherwise you will mess your measurement path and if you are using anything like Bitlocker, this will trigger a recovery prompt on boot because the measurement path is incorrect.

[pshirshov]

Well, reboot to windows works but I would really like to have an option to boot through systemd-boot menu. So, essentially, it's not possible at all?

measurement path

But from what I can see, if I sign the uefi shell and boot through it, I only have to enter bitlocker key once.

In any case, it would be good to have this documented.

[RaitoBezarius]

Well, reboot to windows works but I would really like to have an option to boot through systemd-boot menu. So, essentially, it's not possible at all?

I'm not sure systemd-boot gives us easy way to do this and we will probably not support super advanced modifications that diverges too much from what systemd encourages.

measurement path

But from what I can see, if I sign the uefi shell and boot through it, I only have to enter bitlocker key once.

In any case, it would be good to have this documented.

If you are willing to send a documentation PR, we can take a look :).

[pshirshov]

I'm know literally nothing about the subject.

[rainx0r]

@RaitoBezarius

I think you only need to keep Microsoft keys and let systemd-boot know about Windows via the magic reboot into Windows option and that's it?

Which magic reboot into Windows option are you referring to? systemd-boot can't know about Windows if it's installed on another drive. However, in boot.loader.systemd-boot, it is possible to configure Windows entries manually if you know the EFI device handle which is pretty easy to get with edk2-uefi-shell. Currently, lanzaboote does not seem to support this .windows option at all and even if it's specified in boot.loader.systemd-boot.windows the corresponding boot entry does not seem to be generated. So am I missing some other magic that could be used here or can I conclude that currently lanzaboote does not support Windows on other drives? (Which is also the case for OP)

Secondly, to boot Windows this way, systemd-boot uses the edk2-uefi-shell still, which is not signed by lanzaboote by default. I'm pretty sure that's also what OP was originally trying to convey. I think these two issues are the crux of the problem.

The thing is I'm actually a bit confused as to why some of this is happening. I can see there is a test where supposedly some settings are set in boot.loader.systemd-boot and then they end up in the actual /boot/loader/loader.conf. I can't reproduce this locally as any changes in boot.loader.systemd-boot just don't get reflected in /boot if lanzaboote is enabled, which I suppose is expected since lanzaboote does say it's a replacement right now.

So, am I missing something in terms of getting certain settings from boot.loader.systemd-boot (such as boot.loader.systemd-boot.windows) working? Or is that intended? Or is it intended to work and it not working is a bug? And if it's indeed not intended to work then does lanzaboote intend to reimplement all boot.loader.systemd-boot settings eventually? Because there are a lot of settings there that I can't currently see equivalents for in lanzaboote.