09 Nov 2021 •
4 min. read
A few years ago something totally unexpected happened. It was at the end of the day and I was fully prepared to move behind my laptop at the home office. Instead I decided to do something else, not waste my evening on what became a daily routine; tweeting, liking posts on my LinkedIn, uploading fresh pictures on Instagram, answering Slack messages, scouring internet for anything interesting to read and learn.
Being away from my computer felt like something special. I started living regular life, spending my free time as any other guy would do, watching movies together with J. (girlfriend), playing with our dogs on the beach, going out with friends.
I could have spent time behind this blog as well, but I chose not to. I was able to get a clear head, think about how I used my computer, and phone, how I perhaps consumed and processed more information than I really wanted to, and what the long term effects of that do to a person.
In periods I can burn a lot of time tinkering with all kinds of hardware, Linux and open source software!! I’m that introvert perfectionist with a slight touch of OCD who gets a bit too obsessed about particular things and who can’t let anything go before he’s really done with it > In the past this behavior actually led to a few years of unhealthy multiplayer gaming (CS:GO), so it’s not something I take lightly.
In the back of my head I already knew I had to take counter-measures to prevent falling back in the same trap, and letting my mind go on the loose again.
So, first task, I started with disposing old hard-disks, floppy’s, zipdrives, network cables, a Pentium Pro desktop, even an old SPARCstation. All that awesome stuff you usually gather when working years in IT. Sometimes it was a painful activity because you feel bonded with objects that link to good memories from the past.
Anyways, this was a big step in de-cluttering my life and it has made some huge positive improvements on my productivity and what I call my hyper-focus.
I also realized that while my workflow had improved, I did things the younger me would never ever have approved.
As an example, one of those things was leaving an application open and letting it run in the background, even when I was not there. I know this sounds rather silly but closing an application when I don’t use it does help focus on what I’m doing. For that reason, I replaced the OS on two of my Lenovo workstations with vanilla Debian & I3 WM. (See guys? Told you this post was not exclusively about scoring points on LinuxPorn!)
The third step. I became picky about what channels to subscribe to, and made an agreement that at a certain time in the evening I’d stop, no matter how much my desire to keep hanging on (if I don’t I have to take her out to a fancy diner). After some time I found the everlasting craving for more was gone, and I truly enjoyed the nothingness, loved all that time I now had on my hands more than anything.
I eventually launched Newsboat, and closed it after a quick glance. Then fired up Vim and removed about 80% of the feeds. Most were other we(b)logs, a variety of tech and/or open source related projects and some news sites. The first was CNN International that posts —multiple times per day— about everything from movie trailers, science and tech, to politics. While this was pretty good at giving me the latest highlights it took more time than what it was worth to keep up with.
We both don’t like TV channels because of the irritating commercials filled with products we are never going to buy. Thus Netflix was the only agreeable option.
Last week I took the last step and told my customer(s) I would take 5 days off for studies, no matter what outcome. Yes, every unproductive day is money lost, but at the end those certifications are a long-term investment that will pay for itself.
Update d.d. 15/11/21: Bought a Garmin Fenix 6 Smartwatch and Aeku M5 phone after reading this blog post. Let’s see if they can replace my BlackBerry Android.
Something to think about. Since we have a limited quota of time in this world, why not rather spend that on things and people we find fun, that bring joy in our life and that keep us productive?
So. I hope you will understand and don’t feel offended if I can’t follow on social media; it’s nothing personal. It’s for the good of me, and hopefully you.
02 Nov 2021 •
5 min. read
Today we are going to talk a bit about this open source tool called Activity Aware IDS for AWS which helps system admins be more aware of activities in their AWS account, including those that might include potential account compromises. Our post will focus on some more common use cases for Activity Aware IDS, and how to start using it today. But before we get to that, it’s important to understand the 3 security threats you face as an AWS customer, your responsibility in protecting against them, and refresh what you learned about the least privilege principle as best practice in thinking about security and access control.
The principle of least privilege
Any systems, any identities (users, programs, systems, etc.) granted privileges to access resources or information, should be granted only the minimum privileges necessary to perform their tasks. In the Activity Aware IDS default configuration, it will inform you or your team when users or roles are attempting to use actions or access resources beyond their privileges.
You can also configure Activity Aware IDS to notify you of AWS API actions, even when these actions are permitted, but this turns out to be more complex and was something we simply did not have the time for (so that task is up to you).
The AWS Shared Responsibility Model
A cornerstone of security in the AWS Cloud is the Shared Responsibility Model. At its highest level, this is a delineation between what AWS takes responsibility for to secure, and what you as an AWS customer are responsible for securing.
AWS takes care of security OF the cloud, YOU take care for security IN the cloud.
From the AWS side, they take responsibility for securing the building blocks used to compose your systems. These typically include Compute (EC2) hosts, Storage (S3) infrastructure, Databases (RDS), Networking infrastructure, and so on. That’s not to say you should throw all of your customers’ credit card data into an S3 bucket and think your security responsibility is according AWS agreement.
You still have to lock that bucket!
Security Threats in the Cloud
The 3 major types of security incidents in AWS:
- Infrastructure Impact,
- Host Compromise,
- Account Compromise.
Infrastructure Impact includes external attacks on the underlying infrastructure of your application. This type of attacks largely consists of Distributed Denial of Service (DDoS) attacks, where an attacker sends a large volume of traffic at your site. AWS Shield is a service you can use to prevent that kind of attacks.
Host Compromise involves techniques like command injection to gain access to your resources, such as those EC2 instances. A free source for BitCoin mining or gaining access to their data & approach other instances that likely hold valuable data. Host-based intrusion detection and intrusion prevention are the two most common methods of alleviating this type of threat.
Account Compromise involves an attacker gaining access to users or roles on an instance, and then using them for the data they have access to, or the resources they can create.
There are not many solutions that fill the gap. Activity Aware IDS for AWS does.
When the attacker attempts to scout for permissions of compromised identities (users, roles), he/she will definitely get access denied to a number of the actions and resources they attempt to use while testing. Activity Aware IDS notifies you of these denials in for example a Slack channel.
Use Cases
Activity Aware IDS uses CloudTrial and the least privilege principle.
Lets imagine a user named Mr. X had his credentials compromised by a attacker Mr. Z.
Mr. Z wants to see what groups and roles they have access to through Mr. X’s account. Mr. Z doesn’t have access rights to view groups Mr. X is associated with, and doesn’t have access to view policies attached to those groups.
If Mr. Z tries to view the policies, the system raises a access denied which gets logged to CloudTrail.
At this point Activity Aware IDS receives a denial log, converts it into a friendly format, and then sends it to your Slack Channel. Once the message arrives, you will see that there are strange “Access Denied” messages associated with Mr. X.
Good administrators will call the user causing that message and find he wasn’t performing the actions. Time to replace his credentials.
Mr. Z was blocked from performing actions due to the least privilege principle. Although this is a standard recommendation in security land, it can be difficult in finding the exact set of permissions that a user or role should have. Activity Aware IDS for AWS can also assist with this.
You are deploying a new service, and you want to give it permissions following the least privilege. The easy way to start is creating a role with no permissions. Let’s assume your system needs to send logs to CloudWatch Logs (requirement for AWS Lambda). When the system attempts to create a new Log Group, it will get denied, because the role has not gained permissions. An event logs all data into CloudTrail where Activity Aware IDS will pick it up and send a message to Slack, where you can review the action being attempted, the role involved with the action, and the arn of the specific resource it’s trying to perform the action on.
At this point you could add a statement to the policy for the role thus allowing access to “CreateLogGroup” and give a fairly restrictive resource description.
What to do next
Feel like getting your hands dirty? Check the Giftbit Guide.
Ref: Web: Some content was copied from the Giftbit repo.
15 Oct 2021 •
9 min. read
BIOS functions
Firmware updates
Lenovo sends out capsules which when running Ubuntu Update-Manager will be available for installation. Ref: Lenovo Knowledge Base.
Sleep states
The BIOS has 2 Sleep State options, which you can find in Config > Power > Sleep State.
The Linux option is a traditional S3 power state where all hardware components are turned off except for the RAM, and it should work normally.
The Windows option is a newer software-based “modern standby” which works on Linux (despite the name). One benefit to the Windows sleep state is a faster wake up time, a possible drawback is increased power usage.
Tested the Windows option > did not notice any major loss on battery time.
Software packages
My bash & zsh history output
$ sudo apt install ubuntu-restricted-extras
$ sudo apt install rkhunter
<> sudo rkhunter -c --noappend-log
$ sudo apt install clamav clamav-daemon
<> $ sudo systemctl stop clamav-freshclam
<> $ sudo freshclam
<> $ sudo systemctl start clamav-freshclam
<> $ sudo clamscan --recursive .
$ sudo apt install clamtk
$ sudo apt install clamtk-gnome
$ sudo apt install tmux
$ sudo apt install xclip
$ sudo apt install xdotool
$ sudo apt install devilspie
$ sudo apt install neofetch
$ sudo apt install curl
$ sudo apt install youtube-dl
$ sudo apt install hexchat
$ sudo apt install gimp
$ sudo apt install vim
$ sudo apt install python
$ sudo apt install git
$ sudo apt install htop
$ sudo apt install iotop
$ sudo apt install iftop
$ sudo apt install ttyload
$ sudo apt install ranger
$ sudo apt install trash-cli
$ sudo apt install shellcheck
$ sudo apt install whois
$ sudo apt install fzf
$ sudo apt install postfix
$ sudo apt install pcscd #needed for Yubico Authenticator
<> sudo systemctl status pcscd.socket
<> sudo service pcscd start
<> sudo systemctl enable pcscd
$ sudo apt install unrar zip unzip p7zip-full p7zip-rar rar
$ sudo apt install virtualbox virtualbox-ext-pack -y
<> $ sudo sh sign-vboxmodules.sh
$ sudo usermod -a -G vboxusers $USER
$ sudo apt install wireshark
<> $ sudo adduser **my username** wireshark
$ sudo apt install metadata-cleaner
$ sudo apt install steam
$ sudo apt install dino-im
$ sudo apt install dconf-editor
$ sudo apt install gparted
$ sudo add-apt-repository ppa:yann1ck/onedrive
<> $ sudo apt update
<> $ sudo apt install onedrive
<> $ onedrive --synchronize --verbose --dry-run
<> $ systemctl --user enable onedrive
<> $ systemctl --user start onedrive
<> $ systemctl status --user onedrive
$ sudo add-apt-repository -y ppa:teejee2008/ppa
<> $ sudo apt update
<> $ sudo apt install timeshift
$ curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim
<> $ touch .vimrc
$ git clone https://github.com/powerline/fonts.git --depth=1
<> $ cd fonts
<> $ ./install.sh
<> $ cd..
<> $ rm -rf fonts
$ sudo apt update && sudo apt install ecryptfs-utils cryptsetup
$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
<> $ unzip awscliv2.zip
<> $ sudo ./aws/install -i /usr/local/aws-cli -b /usr/local/bin
<> $ aws configure --profile **my username**
$ sudo apt install zsh
<> $ zsh --version
<> $ echo $SHELL
<> $ chsh -s $(which zsh)
$ git clone https://github.com/zsh-users/zsh-autosuggestions.git $ZSH_CUSTOM/plugins/zsh-autosuggestions
$ git clone https://github.com/zsh-users/zsh-syntax-highlighting.git $ZSH_CUSTOM/plugins/zsh-syntax-highlighting
$ sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
$ git clone https://gitlab.gnome.org/GNOME/sushi.git
<> $ cd sushi-3.38.0 (could be a newer version)
<> $ sudo apt install meson libevince-dev gir1.2-gstreamer-1.0 librust-gstreamer-audio-sys-dev librust-gstreamer-audio-sys-dev libgtksourceview-4-dev libmusicbrainz5-dev libwebkit2gtk-4.0-dev libgirepository1.0-dev ninja-build
<> $ meson builddir && cd builddir
<> $ sudo meson install
$ sudo apt install gufw
$ sudo apt install mupdf
$ sudo apt install dnsutils
$ sudo apt -y install net-tools
$ sudo apt install smartmontools
$ sudo apt remove --purge -y totem
$ sudo apt remove --purge -y rhythmbox
$ sudo apt remove --purge -y transmission transmission-common transmission-gtk transmission-qt
$ sudo apt update && sudo apt upgrade
$ sudo apt install mpv
$ sudo apt install ffmpeg
$ sudo apt install ffmpegthumbnailer
$ sudo apt install protonvpn
$ sudo apt install gnome-tweak-tool
$ sudo apt install gnome-shell-extensions
$ sudo apt install gnome-shell-extension-appindicator gir1.2-appindicator3-0.1
$ sudo apt install gnome-shell-pomodoro #/bin/gnome-pomodoro --no-default-window
$ sudo add-apt-repository -y ppa:libreoffice/ppa
<> $ sudo apt update && sudo apt install libreoffice
$ sudo apt install -y fonts-cascadia-code fonts-firacode
$ sudo apt install ttf-mscorefonts-installer
$ sudo snap install canonical-livepatch
$ sudo snap install kubectl
$ sudo snap install powershell --classic
$ sudo snap install slack --classic
$ sudo wget https://github.com/shiftkey/desktop/releases/download/release-2.6.3-linux1/GitHubDesktop-linux-2.6.3-linux1.deb
<> $ sudo apt install gdebi-core
<> $ sudo gdebi GitHubDesktop-linux-2.6.3-linux1.deb
$ sudo curl -O https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb
<> $ sudo apt install ./vagrant_2.2.9_x86_64.deb
$ sudo apt install flatpak gnome-software-plugin-flatpak gnome-software
$ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
$ sudo flatpak install flathub io.atom.Atom
$ sudo flatpak install flathub app.drey.Dialect
$ sudo flatpak install flathub ch.protonmail.protonmail-bridge
$ sudo flatpak install flathub ch.protonmail.protonmail-import-export-app
$ sudo flatpak install flathub com.github.IsmaelMartinez.teams_for_linux
$ sudo flatpak install flathub com.github.tchx84.Flatseal
$ sudo flatpak install flathub com.spotify.Client
$ sudo flatpak install flathub com.yubico.yubioath
$ sudo flatpak install flathub de.haeckerfelix.Fragments
$ sudo flatpak install --user flathub io.podman_desktop.PodmanDesktop
$ sudo flatpak install flathub org.gnome.gitlab.YaLTeR.VideoTrimmer
$ apm install pigments
$ apm install file-icons
$ apm install teletype
$ apm install atom-beautify
$ apm install todo-show
$ apm install expose
$ apm install emmet
$ apm install color-picker
$ apm install markdown-writer
$ apm install language-markdown
$ apm install language-powershell
$ apm install autocomplete-python
$ apm install language-batchfile
$ apm install language-vbscript
$ apm install language-reg
$ apm install minimap
$ apm install minimap-autohider
$ apm install autoclose-html-plus
$ apm install text-align
$ cd Documents
<> $ find . -type f -print0 | xargs -0 chmod -x
$ gsettings set org.gnome.desktop.privacy remember-recent-files false
$ gsettings set org.gnome.shell.extensions.dash-to-dock click-action 'minimize'
$ gsettings set org.gnome.settings-daemon.plugins.media-keys max-screencast-length 0
$ sudo nano /usr/share/applications/vim.desktop #remove gvim icon > NoDisplay=true
$ sudo nano /usr/share/applications/info.desktop #remove texinfo icon > NoDisplay=true
Resources:
Note: dotfiles are available in this private repo.
Browser extensions
Add DuckDuckGo, Privacy Badger, HTTPS Everywhere, and Facebook Container. Do not use other sources!
System specifics
Hibernation modus aka deep sleep
Simply closing the lid will probably trigger deep sleep. Probe using the command line:
If not, upgrade to a newer kernel.
Low cTDP and trip temperature in Linux
This problem is related to ‘thermal throttling’ on Linux, which is set much below Windows values. It will cause your laptop to run slower than it could when under heavy stress.
Before attempting to apply this solution, make sure that the problem still exists. To do so, open a Linux terminal and run following commands:
$ sudo apt install msr-tools
$ sudo rdmsr -f 29:24 -d 0x1a2
If you see 3 as a result value (15 when running on the battery), you don’t have to do anything. Otherwise:
Warning - The next steps can cause serious issues on your system. See this page for more details.
- Disable Secure Boot in the BIOS (won’t work otherwise).
- Install the throttled fix:
$ sudo apt install git build-essential python3-dev libdbus-glib-1-dev libgirepository1.0-dev libcairo2-dev python3-cairo-dev python3-venv python3-wheel
$ git clone https://github.com/erpalma/throttled.git
<> $ sudo ./throttled/install.sh
- Make sure that thermald is not setting it back down:
$ sudo systemctl stop thermald.service
$ sudo systemctl disable thermald.service
- If you want thermald permanently disabled, even after a package update:
$ sudo systemctl mask thermald.service
- Verify that throttled is running:
$ sudo systemctl status throttled
- Check again that the result from running the rdmsr command is 3.
Battery temperature levels
I use lower temperature levels to preserve battery life at the cost of performance. To change default values, edit your /etc/throttled.conf file, and set Trip_Temp_C for both battery and AC the way you want:
[BATTERY]
# Other options here...
PL2_Tdp_W: 40
Trip_Temp_C: 75
[AC]
# Other options here...
PL1_Tdp_W: 34
PL2_Tdp_W: 40
Trip_Temp_C: 90
Battery charging thresholds
There are a lot of theories and advisories about ThinkPad charging thresholds.
Some say thresholds are needed to keep the battery healthy, some think they are useless and the battery will work the same just as it is.
I always stick with the following settings for my laptops (because they are mostly on AC):
Start threshold: 60% - Stop threshold: 65%
This means that charging will start only if the battery level goes down below 60% and will stop at 65%. This prevents my battery from being charged too often, and from being charged beyond a recommended level.
To achieve this for Linux based machines:
- Install this list of packages:
$ sudo apt install tlp tlp-rdw acpi-call-dkms tp-smapi-dkms acpi-call-dkms
- Start the tlp service:
$ sudo systemctl enable --now tlp.service
- After that edit the /etc/tlp file and change below values:
# Uncomment both of them if commented out
START_CHARGE_THRESH_BAT0=60
STOP_CHARGE_THRESH_BAT0=65
- Reboot, run:
$ sudo tlp-stat --battery
- Verify that the values are as you expected:
tpacpi-bat.BAT0.startThreshold = 60 [%]
tpacpi-bat.BAT0.stopThreshold = 65 [%]
- You can change these thresholds anytime, and apply changes typing:
Note: if you need your laptop fully charged, you can achieve that by running the following command while connected to AC:
29/01/23: This post will be updated every time I commit changes to my system. One of these will be the future replacement of Atom with Pulsar Edit.
21 Aug 2020 •
2 min. read
Hey, what do you mean with “Docs-as-Code”?
The concept “Docs-as-Code” is basically similar to the way software engineers:
- Write code,
- Build an executable,
- Test it, and then publish the deliverable.
In technical writing terms, it can look something like:
- Store your content source in a version control system like GitHub (typically in a format like Markdown),
- Using static site generators like Middleman, Gatsby, Hugo, Jekyll, VuePress, MKDocs etc.,
- Produce a documentation site, running some validation checks (like broken links) and then publish it to your hosting provider.
Should I treat documentation the same as my source files?
Source code and documentation files (even if written in MD) are not the same.
A source code file is in plain text. A compiler reads the file and converts it into a machine-readable format (like an executable file).
A documentation file on the other hand will require extra elements, such as:
- A link to an image (where will it be hosted),
- Who is going to upload what,
- Different rich styles like Tables, Tabs, Source code viewer, etc.
In terms of source code files, compilers are pretty mature and stable. If there are syntax errors (not functional errors) the compiler will catch them immediately.
Converting Markdown (using a static code generator parser) to HTML is prone to errors. There is no defined syntax for formats like MD, merely various flavours.
Challenges encountered when using this approach:
- Simple fixes are complex,
- Editorial workflow and review processes,
- Image management and preview,
- Category management,
- Search implementation,
- When devs need to write technical docs, things can go frantic.
Is it worth the trouble?
Docs differ significantly when compared to source code. In theory, it might look fascinating to go down the “Docs-as-Code” path.
In practice it can get quite rough, especially when you’re this single guy creating software documentation in a few GitHub repos, or writing some technical posts. If that’s the case, I suggest skipping or you should like self-punishment.
Big companies with dedicated teams should look at tools like docToolChain. The philosophy of docToolchain is that software documentation should be treated in the same way as code together with the arc42 template for software architecture.
Further reading (English books)
09 Aug 2019 •
< 1 min. read
19 Mar 2019 •
5 min. read
These notes are meant to help you setup a dual-booting system on a computer running Windows 10 Professional using BitLocker Device Encryption, Modern Standby (a.k.a. Fast Boot), and Secure Boot.
Linux installation is covered briefly as we will focus on preserving the Windows pre-boot UEFI environment in such a setup.
MAKING PREPARATIONS
Before proceeding you should backup all important data to an external disk or your preferred online backup provider. Remember… there is a not insignificant risk of permanently breaking the Windows 10 installation in a non-recoverable fashion as you’ll be making changes to the UEFI partition in your computer.
You should also print a copy of your BitLocker recovery key as it may be needed during this process. This is not your BitLocker PIN or password, but a separate numeric key. Print this key from Control Panel: System and Security: BitLocker Drive Encryption.
Please note that the recovery key will change every time you disable - re-enable BitLocker Device Encryption.
Be sure you have several copies of the most recent recovery key or you may loose access to all your encrypted data! I’d recommend creating a script that backups your key to a secure place on the cloud.
Download and prepare Windows 10 Installation Media (a 16 GB+ USB stick) for recovery purposes. And do not forget your Linux installation media.
To mop it up, double-check that you have the latest firmware updates installed, especially your Trusted Platform Module (TPM) firmware. Vendors might not auto-update the TPM using their regular driver and firmware update utilities.
FREEING UP SPACE ON THE DRIVE
To install a second operating system you obviously need space on your system drive. You could also use a second drive, but this is probably not a good option for laptop users and small-form-factor devices.
Try to free up at least 20 GB for a Linux installation. Some distros (like Ubuntu and Fedora) install themselves semi-automatically next to Windows with fully guided installation options if you prepare your disk in this way.
Optionally, if your partition layout allows for it you should also grow your UEFI System Partition to circa 1 GB. Multiple operating systems will be storing their UEFI blobs (and possibly multiple versions during system upgrades), and it can be beneficial in the near future to have more space available on this partition.
You can resize and manage your partitions with the built-in Disk Management utility in Windows (search for “Create and manage hard disk partitions” in your Windows Search box or Cortana).
If this is a new device that you’ve never stored personal data on, I recommend that when activated you first disable BitLocker Device Encryption temporarily before making changes to the drive partitions.
After disabling BitLocker Device Encryption from Windows Settings, you must wait some time for decryption to complete. Then you can proceed to shrink the main drive. Both operations can take hours, depending on the size. When you shrunk the partition and freed up space, you can re-enable BitLocker Device Encryption. Reboot the system and wait for the process to complete before moving on – this to avoid running into issues later.
If you already stored some data on the drive, you should first create a backup, leave BitLocker Device Encryption enabled, and then just resize the encrypted drive and hope for the best. Don’t format or partition the freed up space, leave this to the Linux installer.
INSTALLING THE SCEONDARY OS
Linux installers vary a lot, so I’ll only give general pointers on the installation process. You shouldn’t need to disable Secure Boot to install a modern Linux. Refer to the wiki for your distribution for specifics. Depending on your device, you may have to boot into your installation media from the Windows Settings app: “System and Updates: Recovery: Advanced Startup”.
You shouldn’t select to use the whole drive. The graphical installers for Fedora and Ubuntu will automatically suggest using the freed up space on the system drive. Always verify that the installers aren’t going to format your Windows or UEFI partitions before accepting their suggestions!
Windows 10 and Linux share the same partition for their UEFI blobs. However, you can’t install multiple versions of Windows or the same Linux distro on the same UEFI system partition. Each OS will install into its own named folder e.g. “Microsoft”, “Fedora”, or “Ubuntu”, and this naming scheme does not allow for more than one unique version at the time. If you really need to install multiple versions of lets say Ubuntu, then you also have to create separate UEFI system partitions for each one. This requires disabling BitLocker Device Encryption as changing the boot partition will upset the TPM.
Older versions of Windows and some Linux installers will sometimes overwrite the entire UEFI partition. To prevent this type of often fatal errors, always use shared UEFI partitions, even when installing to a secondary drive as this will give you an easier time dealing with Secure Boot, BitLocker, and GRUB2.
The OS-prober should auto-detect Windows and create a boot menu item for it alongside Linux in GRUB2. Because Windows Update requires multiple reboots, you must configure GRUB bootloader to remember the most recent boot menu: (GRUB_DEFAULT=saved; GRUB_SAVEDEFAULT=true). This allows an operating system to trigger multiple reboots when performing updates and boot back into the correct base.
You might be prompted for a BitLocker recovery key after completing the installation.
PS. Need more technical info? Check this link @XDA Developers.