Windows 11 TPM dual boot

windows windows-11 multi-boot dualboot

Does the fact that Windows 11 requires TPM and Secure Boot mean that we can no longer have a dual boot setup with let say Linux for example?


The TPM is a passive component; it does not get involved in the boot process on its own, unless an OS (or a bootloader) specifically tries to interact with it. You can dual-boot an OS even if it doesn't have any support for the TPM.

That said, if you want to use use the TPM from Linux, you can still do so even if it was initialized by Windows.

Windows initializes the TPM2 using a random "owner password" that it throws away... but the fact that it immediately throws away the password just tells you that you don't need it for normal operation.

For example, the RSA "storage root key" is initialized in a standard way at 0x81000001 and can be used from any OS, including Linux. (Some tools, such as systemd-cryptenroll, will just ignore it and generate an ECDSA root key instead.)

(If necessary, you can still convince Windows to store the owner password in the Registry, although obviously you can't recover the one that was thrown away, so this requires re-initializing the TPM.)

Currently the only limitation is that you cannot use the high-level FAPI tools in Linux tpm2-tss, but that is really not a big loss; almost everything builds on the "raw" EAPI anyway.

On the other hand, the Secure Boot feature can cause some trouble. You should still be able to use Linux distributions like Fedora or Ubuntu which have official support for it (they have Microsoft-signed bootloaders).

With some tinkering, you should be able to use the Microsoft-signed Shim to boot just about anything that supports UEFI. (It's kind of a loophole, as Shim just prompts you to authorize unknown .efi files by their hash.)

Secure Boot on x86 systems also allows you to set up your own signing keys alongside the Microsoft keys. This can get quite complicated, but nevertheless completely possible to have a Linux kernel or another .efi file be fully validated by your firmware's Secure Boot.


There's been a lot of misinformation in press articles about the secure boot requirement. To install and run Windows 11, your machine is required to be "Secure Boot capable", and does not have to have Secure Boot enabled. To be "Secure Boot capable" really just means that the system is booting via UEFI, not legacy BIOS/CSM.

(Technically Secure Boot was added to the UEFI spec in 2.3.1 Errata C released in 2012; I imagine almost every consumer motherboard released in the last 5+ years is Secure Boot capable. )

TPM 2.0 must also be enabled for Windows 11, but as mentioned in another answer, that does not prevent other OSes from running like Secure Boot being enabled can.

I verified Windows 11 does not require Secure Boot be enabled by installing and running it in a Hyper-V VM. Windows 11 installs happily on a Hyper-V UEFI system with Secure Boot disabled.

See https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements (note it says "UEFI, Secure Boot capable"), and https://support.microsoft.com/en-us/topic/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad (makes explicitly clear that Secure Boot need not be enabled).

Related

How can I disable UI animations (Motion Design) in Windows 11?
Installing and uninstalling Microsoft Visual C++ Redistributables on Windows 10
I can't install ANY Microsoft Visual C++ packages after deleted "C:\ProgramData\Package Cache"
Unable to recognize bootable usb
How do I debug a boot failure after transferring a physical machine to a virtual disk? INACCESSIBLE_BOOT_DEVICE (0x0000007B)
Is registered ram the same as ECC ram?
How to send a simple email programmatically? (exists a simple way to do it?)
iPhone - How set uinavigationbar height?
multiple databases and multiple models in django
Suspending GCD query problem
Java: Overriding function to disable SSL certificate check
Change clickable TextView's color on focus and click?