解决eGPU和BitLocker冲突导致启动需要输入密钥的问题
Resolving eGPU and BitLocker Encryption Conflict
Recently, I brought a eGPU (AMD 6600) for gaming with my laptop. However, when using an external GPU (eGPU), I encountered a conflict with BitLocker encryption, particularly due to an inconsistency in the Platform Configuration Register (specifically, PCR[2]). This issue can cause BitLocker to trip during system reboots when an eGPU is connected. Fortunately, there’s a workaround to resolve this conflict, which I found in this blog eGPU.io.
Understanding PCR, TPM, and BitLocker
TPM (Trusted Platform Module)
TPM is a hardware-based security device that provides secure generation of cryptographic keys, and can limit the use of keys to specific software. TPM ensures that the system is trustworthy and hasn’t been tampered with.
BitLocker
BitLocker is a full disk encryption feature included with Windows. It uses TPM to help protect user data and to ensure that a system hasn’t been tampered with while the system was offline.
PCR (Platform Configuration Register)
PCR is part of the Trusted Platform Module (TPM), which is a secure crypto-processor that enhances hardware security. PCRs are used to store measurement data (in hashed value) that helps in ensuring the integrity of the system. PCR[2] specifically measures and stores data related to hardware configuration and BIOS/UEFI code.
Other PCR options include:
- PCR[0]: Measures the Core System Firmware (BIOS or UEFI), ensuring the firmware has not been tampered with.
- PCR[2]: Stores measurements of option ROMs and any extensions loaded by the firmware.
- PCR[4]: Measures the bootloader code, verifying that the initial code responsible for loading the operating system is secure.
- PCR[5]: Stores the GPT partition table data.
- PCR[11]: BitLocker Access Control.
Steps to Resolve the Conflict
- Suspend BitLocker (暂时禁用 BitLocker): Before making any changes, it’s crucial to suspend BitLocker to prevent it from locking the system during the process. You can do this by running the following command in an elevated Command Prompt:
manage-bde -protectors -disable C:
-
Disable PCR[2] in Group Policy (使用组策略关闭PCR[2]检查): Next, you need to disable PCR[2] to prevent BitLocker from using it for integrity checks, which is where the conflict with the eGPU arises.
- Open the Local Group Policy Editor by typing
gpedit.msc
in the Run dialog (Win + R). - Navigate to
Computer Configuration
->Administrative Templates
->Windows Components
->BitLocker Drive Encryption
->Operating System Drives
. - Double-click on
Configure TPM platform validation profile for native UEFI firmware configurations
. - Set it to
Enabled
, and then uncheck the box for PCR[2] underConfigure TPM platform validation profile
.
- Open the Local Group Policy Editor by typing
-
Reboot Your System(重启计算机): After making these changes, reboot your system to apply them.
-
Re-enable BitLocker(重新启用 C 盘 BitLocker): Once your system is back up and running with the eGPU functioning correctly, re-enable BitLocker to ensure your drive remains secure:
manage-bde -protectors -enable C:
PRO/CON of Disabling PCR[2]
Pros
- Resolves Conflict: Disabling PCR[2] resolves the conflict with eGPU, allowing users to utilize external GPUs without tripping BitLocker.
- System Flexibility: Provides flexibility in hardware configuration changes without affecting system integrity checks by BitLocker.
Cons
- Security Risk: Disabling PCR[2] can reduce the security efficacy of TPM as it no longer checks for changes in BIOS/UEFI, which could potentially be exploited by malicious entities.
Conclusion
By following these steps, you can resolve the conflict between an eGPU and BitLocker encryption caused by PCR[2]. This technique ensures that your system remains secure while also being fully functional with an eGPU connected.
This article is organized by GPT-4-Turbo-2024-04-09 and modified by myself.
本文章由 GPT-4-Turbo-2024-04-09 组织,并由我修改。
本人保留对侵权者及其全家发动因果律武器的权利
版权提醒
如无特殊申明,本站所有文章均是本人原创。转载请务必附上原文链接:https://www.elliot98.top/post/tech/tpm-pcr-bitlocker-egpu/。
如有其它需要,请邮件联系!版权所有,违者必究!