Create UEFI seureboot USB

2020-04-21T17:50:02Z

Invidian: Invidian moved page Create UEFI seureboot USB to Create UEFI secureboot USB: There is a typo in the title

#REDIRECT [[Create UEFI secureboot USB]]

Create UEFI secureboot USB

2020-04-21T17:50:02Z

Invidian: Invidian moved page Create UEFI seureboot USB to Create UEFI secureboot USB: There is a typo in the title

This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.

In this example we will use {{Path|/dev/sdX}} and $HOME. This will be different depending on your system. Substitute the paths in the examples below as necessary.

== Create GPT boot partition ==

Install {{Pkg|parted}}
{{Cmd | apk add parted }}

Create a single UEFI boot partitions.
{{warning| This will erase all content of your {{Path|/dev/sdX}}. Make sure that you use correct device.}}

{{Cmd | parted --script /dev/sdX mklabel gpt
parted --script --align{{=}}optimal /dev/sdX mkpart ESP fat32 1MiB 100%
parted --script /dev/sdX set 1 boot on }}

== Create fat32 filesystem ==

Create a fat32 system with the name `Alpine`.

{{Cmd | mkfs.vfat -n ALPINE /dev/sdX1 }}

== Copy content of ISO image to filesystem ==

It is possible to mount the iso image and copy files with {{codeline|cp}} or {{codeline|rsync}} and it is also possible to use {{codeline|7z}} to extract content from the iso. In this example I will use the {{codeline|uniso}} utility from {{Pkg|alpine-conf}} package.

{{Cmd | mount -t vfat /dev/sdX1 /mnt
cd /mnt
uniso < /path/to/alpine-3.8.2-x86_64.iso }}

== Create MOK Key ==
{{Cmd | openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN{{=}}Alpine Local CA/"
openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER}}

== Download and install rEFInd ==
Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip. There may be a more recent version of rEFInd available when you download.

{{Cmd | cd /mnt/efi/boot
unzip /path/to/refind-bin-0.11.4.zip
mv refind-bin-0.11.4/refind/* .
rm -rf refind-bin-0.11.4}}

== Copy signed shim ==
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary.

{{Cmd | cd /mnt/efi/boot
gunzip -c /path/to/shim-signed-0.2.tgz | tar x --strip-components{{=}}1 --no-same-owner}}

== Install Shim and Certificate ==
{{Cmd | cp $HOME/alpine_local.cer /mnt/efi/boot
cp /mnt/efi/boot/refind_x64.efi /mnt/efi/boot/grubx64.efi
cp /mnt/efi/boot/shim.efi /mnt/efi/boot/bootx64.efi }}

== Sign the Bootloader and kernel with your key ==
{{Cmd | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/efi/boot/grubx64.efi
mv /mnt/efi/boot/grubx64.efi.signed /mnt/efi/boot/grubx64.efi
sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/boot/vmlinuz-vanilla
mv /mnt/boot/vmlinuz-vanilla.signed /mnt/boot/vmlinuz-vanilla}}

== Unmount the partition ==
Finally umount the disk
{{Cmd | cd ~ && umount /mnt}}

== Install the Keys and Enroll Hash ==
Insert the USB into the target PC and boot. When prompted select to enroll key, navigate to alpine_local.cer and add it. Then select enroll hash navigate to efi/boot/grubx64.efi select it and add the hash. Now reboot and given a bit of luck it should launch alpine. This step is a bit more complex than it needs to be due to the binary distribution of refind already being signed by the authors key. Once rEFInd is packaged it should simplify this step.

[[Category:Installation]]

Alpine Linux - User contributions [en]

Create UEFI seureboot USB

Create UEFI secureboot USB