Skip Bitlocker detection?
-
@Tom-Elliott said in Skip Bitlocker detection?:
The only change is a minor GUI addition and a little change to the Init fsType script.
Do you want me to put in a request for this so we can track it?
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
-
@george1421 the postinit could re source the funcs file at the end.
-
@george1421 sure! At least then there’s a way to track.
-
@george1421 said in Skip Bitlocker detection?:
I question this statement and then question the value of bitlocker if you can do this successfully. As long as you are using the tpm chip there should be no value in cloning a bitlocker protected partition unless it will be used to restore back to the same computer. If you are doing a one to many deployment with this image it should fail on every computer you deploy it to because the certificate held in the tpm chip will not match. If you can do this then something is wrong with bitlocker.
@gwhiteia Can you please comment on this before we go ahead and change things. This is the basis on why we added the bitlocker check as a hard break in the scripts instead of making it optional. Do you use bitlocker without TPM or how does it work in your case?
-
@george1421 said in Skip Bitlocker detection?:
@Tom-Elliott said in Skip Bitlocker detection?:
The only change is a minor GUI addition and a little change to the Init fsType script.
Do you want me to put in a request for this so we can track it?
Yes, please
-
@Sebastian-Roth said in Skip Bitlocker detection?:
@george1421 said in Skip Bitlocker detection?:
I question this statement and then question the value of bitlocker if you can do this successfully. As long as you are using the tpm chip there should be no value in cloning a bitlocker protected partition unless it will be used to restore back to the same computer. If you are doing a one to many deployment with this image it should fail on every computer you deploy it to because the certificate held in the tpm chip will not match. If you can do this then something is wrong with bitlocker.
@gwhiteia Can you please comment on this before we go ahead and change things. This is the basis on why we added the bitlocker check as a hard break in the scripts instead of making it optional. Do you use bitlocker without TPM or how does it work in your case?
Yes, we use BL without the TPM
-
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth said in Skip Bitlocker detection?:
@gwhiteia said in Skip Bitlocker detection?:
Yes, we use BL without the TPM
But how?
We disable TPM in the BIOS prior to building our image and modify a few GPO settings to use passwords instead of PINs
-
@Sebastian-Roth said in Skip Bitlocker detection?:
But how?
If you run bitlocker without TPM you have an option to use a usb key with the certificate installed or with a preboot password that is managed by the uefi boot loader. It is surely not as secure at the tpm route, but if you have no option, you have limited choices.
Some countries may mandate to not use tpm protection.
-
@george1421 @gwhiteia Ok, so essentially it means we should not error out when detecting bitlocked partitions. But then we will end up with more people asking why their image is so big.
Printing a warning is of no use because it Just skips past with no one noticing it.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth The idea as I understand it, there should be a one time flag (akin to debug flag and location) that will allow the FOG Admin to bypass the check. This is for a one-off situation. 99% of the time its proper to warn the FOG Admin that bitlocker is on and he/she should disable it first. For that remaining 1% of the time of the FOG Admin wants to bypass this stop the FOG should let them (i.e. play with matches and a stick of dynamite. “What could go wrong??”)
-
@george1421 Yeah, you are right. I forgot about this part earlier being discussed here in this topic. We shall look into adding this.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
I have added this “Feature” to 1.6 branch.
I have not added the code to the fos engine stuff, as I’ll leave that up to whomever is building them right now. I don’t have a build environment and we don’t have automated building setup yet (that I am aware of at least)
https://github.com/FOGProject/fogproject/commit/bff919e655d9a239040133466874b19c82562bf9
Essentially, I added the checkbox to bypass bitlocker detection when a capture task is selected. It uses Scheduled Task other5 field to store if this was set or not, and creates a new column for setting this flag in the task.
When this flag is set, it sets the kernel arg
bitlockerbypass=1making it easy enought to look for in the bitlocker check function.Let me know if you have any other questions.
-
@Tom-Elliott said in Skip Bitlocker detection?:
FOG already has the capability to do this, but we added a check because that was the “thought” we needed to do.
You can modify the file yourself.
You are, hopefully, familiar with postinit scripts:
The file you’ll want to replace is:
/usr/share/fog/lib/funcs.shThe line you would need to comment:
Line 290 in fsTypeSetting function.You should then have the ability to capture/deploy images using the “imager/raw” method.
I don’t see the directory you’ve listed above?
/usr/share/fog/… doesn’t seem to exist?
-
@gwhiteia That’s not going to exist on your server.
This exists on your client machines when they’re in an imaging task.
-
@gwhiteia What version of FOG are you running? 1.5.9?
-
@Tom-Elliott said in Skip Bitlocker detection?:
I have not added the code to the fos engine stuff, as I’ll leave that up to whomever is building them right now. I don’t have a build environment and we don’t have automated building setup yet (that I am aware of at least)
Cool! I will add this to our
dev-branchand FOS code in the next days.@gwhiteia You would need to update to the latest
dev-branchto get this feature. Please let me know if you are keen to go there or if you want to wait for the next release (not before Christmas I am fairly sure)? -
@george1421 said in Skip Bitlocker detection?:
@gwhiteia What version of FOG are you running? 1.5.9?
Yes…1.5.9
-
@gwhiteia Well I can either walk you through updating what you need or you can wait until this feature is available in the dev branch. It should take about 15 minutes of hands on time to setup the patch. You will just have to remember to remove it (one line of code) when 1.5.10 is released later this year.
The decision is yours.
