I have a Framework 13 DIY with Ubuntu and FDE, so SecureBoot is a thing. Changing out the motherboard would remove the root of trust (I.e. the cpu) for SecureBoot, I assume. Has anyone tried this? Did you need to wipe and restore their SSD? Or did something less heavy-handed work?
I don’t see how that should be a problem. The main purpose of SecureBoot is verify the integrity of the (signed) OS/Bootloader against a list of known certification authorities (usually Microsoft). Swapping the mainboard should be no problem, as your OS still has valid signatures (from Microsoft). Unless you bound your encryption to some hardware key, in which case you may need to unencrypt your drive before the swap (or change the encryption key to something simple, like a password).
I could guess, too, but I want to know if someone has actually done it.
SecureBoot is supposed to be more than checking a bootloader for a trusted signature; it’s supposed to be a whole signature chain going back to a machine’s TPM verifying that the BIOS and every other step of the boot process hasn’t been compromised as well. So a replaced TPM (or, more likely, the Intel or AMD equivalent root in the CPU) could break the chain.
Windows will prompt for the bitlocker passphrase when the automatic decryption fails. You might want to check Ubuntu’s documentation, it’s possible that it will do the same thing.
If it’s a TPM based FDE, then yeah would need to proceed with caution, as it takes into account the trusted hardware peripherals.
1 Like