|
The current approach (as I understand it) for Windows is to turn off measured boot for bitlocker, do the update that's likely to cause the issue, and then turn it back on again after the update has completed. Hence you'll often notice UEFI updaters turning off bitlocker. I've seen HP devices tell you what the value of PCR0 will be for each given update, meaning you can know beforehand what that will be, and prepare by locking measured boot to that value before rebooting. In Linux with systemd-measure, there's an option to lock to a signed manifest for PCR11, so you can have updated kernels (UKIs, for example), able to boot, while still locking the measured boot to the kernel image, initrd, cmdline, and public key used to sign the values. At that point, your OS distribution (or yourself) can take control of that process. It doesn't help for firmware updates though, as far as I know, unless you can prepare and ship an updated PCR policy, and your OS distribution is unlikely to be tightly integrated with your hardware vendor to do that, so it will likely fall onto the user, or to unlock the disk while doing those updates. |