Alpine Linux - User contributions [en]

UEFI Secure Boot

2023-05-14T22:01:57Z

Ziproot: /* Enrolling UEFI keys */ Make command in newly created note note one line

== Mounting ESP ==

Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:

{{cmd|# install -d -m 000 /boot/efi}}

Add the following line to {{path|/etc/fstab}}:

{{Cat|/etc/fstab|...
UUID{{=}}<first-partition-uuid> /boot/efi vfat rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}

Mount it:

{{cmd|# mount /boot/efi}}

== Generating own UEFI keys ==

Install package {{pkg|efi-mkkeys}}:

{{cmd|# apk add efi-mkkeys}}

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

{{cmd|# mkdir -p /etc/uefi-keys/vendor
# cd /etc/uefi-keys/vendor
# for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}

Now you can uninstall {{pkg|efi-mkkeys}} if you want:

{{cmd|# apk del efi-mkkeys}}

== Generating Unified Kernel Image ==

Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:

{{cmd|# apk add secureboot-hook efibootmgr}}

Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:

<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>

Run kernel hooks:

{{cmd|# apk fix kernel-hooks}}

Disable {{pkg|mkinitfs}} trigger:

{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}

Add boot entry:

{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

== Enrolling UEFI keys ==

Copy all *.esl, *.auth files from {{path|/etc/uefi-keys}} to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

# Reboot system and enter ThinkPad Setup (F1).
# Go to '''Security''' > '''Secure Boot'''
# Change '''Secure Boot''' to '''Enabled'''
# '''Reset to Setup Mode'''
# Go to '''Key Management'''
# '''Authorized Signature Database (DB)'''
#* '''Enroll DB''' > select your Flash Drive > select '''db.auth'''
#* '''Delete DB''' > delete Microsoft certificates (optional)
# '''Key Exchange Key (KEK)'''
#* '''Enroll KEK''' > select your Flash Drive > select '''KEK.auth'''
#* '''Delete KEK''' > delete Microsoft certificates (optional)
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# Go to top, '''Restart''' > '''Exit Saving Changes'''

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
# Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Disabled'''
# Select '''Clear All Secure Boot Keys'''
# Press F10 to save settings
# Reboot system and enter Alpine Linux
# Enable the [[Repositories|Community Repository]]
# Run the following commands:
{{cmd|# apk update
# apk add sbctl
# sbctl create-keys
# sbctl sign /boot/efi/Alpine/linux-lts.efi
# sbctl enroll-keys -m }}
# <li value="9"> Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Enabled'''
# Press F10 to save settings

Note: If you needed to use sbctl, you will have to run <code>sbctl sign /boot/efi/Alpine/linux-lts.efi</code> every time you upgrade the kernel. You should '''not''' need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.

== Resources ==

* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)

[[Category:Booting]]

UEFI Secure Boot

2023-05-14T22:00:05Z

Ziproot: /* Enrolling UEFI keys */ Add note about running a command to re-sign the Unified Kernel Image after upgrade if sbctl was used to enroll the keys

== Mounting ESP ==

Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:

{{cmd|# install -d -m 000 /boot/efi}}

Add the following line to {{path|/etc/fstab}}:

{{Cat|/etc/fstab|...
UUID{{=}}<first-partition-uuid> /boot/efi vfat rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}

Mount it:

{{cmd|# mount /boot/efi}}

== Generating own UEFI keys ==

Install package {{pkg|efi-mkkeys}}:

{{cmd|# apk add efi-mkkeys}}

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

{{cmd|# mkdir -p /etc/uefi-keys/vendor
# cd /etc/uefi-keys/vendor
# for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}

Now you can uninstall {{pkg|efi-mkkeys}} if you want:

{{cmd|# apk del efi-mkkeys}}

== Generating Unified Kernel Image ==

Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:

{{cmd|# apk add secureboot-hook efibootmgr}}

Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:

<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>

Run kernel hooks:

{{cmd|# apk fix kernel-hooks}}

Disable {{pkg|mkinitfs}} trigger:

{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}

Add boot entry:

{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

== Enrolling UEFI keys ==

Copy all *.esl, *.auth files from {{path|/etc/uefi-keys}} to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

# Reboot system and enter ThinkPad Setup (F1).
# Go to '''Security''' > '''Secure Boot'''
# Change '''Secure Boot''' to '''Enabled'''
# '''Reset to Setup Mode'''
# Go to '''Key Management'''
# '''Authorized Signature Database (DB)'''
#* '''Enroll DB''' > select your Flash Drive > select '''db.auth'''
#* '''Delete DB''' > delete Microsoft certificates (optional)
# '''Key Exchange Key (KEK)'''
#* '''Enroll KEK''' > select your Flash Drive > select '''KEK.auth'''
#* '''Delete KEK''' > delete Microsoft certificates (optional)
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# Go to top, '''Restart''' > '''Exit Saving Changes'''

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
# Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Disabled'''
# Select '''Clear All Secure Boot Keys'''
# Press F10 to save settings
# Reboot system and enter Alpine Linux
# Enable the [[Repositories|Community Repository]]
# Run the following commands:
{{cmd|# apk update
# apk add sbctl
# sbctl create-keys
# sbctl sign /boot/efi/Alpine/linux-lts.efi
# sbctl enroll-keys -m }}
# <li value="9"> Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Enabled'''
# Press F10 to save settings

Note: If you needed to use sbctl, you will have to run {{cmd|# sbctl sign /boot/efi/Alpine/linux-lts.efi}} every time you upgrade the kernel. You should '''not''' need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.

== Resources ==

* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)

[[Category:Booting]]

UEFI Secure Boot

2023-05-14T15:18:47Z

Ziproot: /* Enrolling UEFI keys */ Correct case in path

== Mounting ESP ==

Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:

{{cmd|# install -d -m 000 /boot/efi}}

Add the following line to {{path|/etc/fstab}}:

{{Cat|/etc/fstab|...
UUID{{=}}<first-partition-uuid> /boot/efi vfat rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}

Mount it:

{{cmd|# mount /boot/efi}}

== Generating own UEFI keys ==

Install package {{pkg|efi-mkkeys}}:

{{cmd|# apk add efi-mkkeys}}

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

{{cmd|# mkdir -p /etc/uefi-keys/vendor
# cd /etc/uefi-keys/vendor
# for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}

Now you can uninstall {{pkg|efi-mkkeys}} if you want:

{{cmd|# apk del efi-mkkeys}}

== Generating Unified Kernel Image ==

Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:

{{cmd|# apk add secureboot-hook efibootmgr}}

Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:

<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>

Run kernel hooks:

{{cmd|# apk fix kernel-hooks}}

Disable {{pkg|mkinitfs}} trigger:

{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}

Add boot entry:

{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

== Enrolling UEFI keys ==

Copy all *.esl, *.auth files from {{path|/etc/uefi-keys}} to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

# Reboot system and enter ThinkPad Setup (F1).
# Go to '''Security''' > '''Secure Boot'''
# Change '''Secure Boot''' to '''Enabled'''
# '''Reset to Setup Mode'''
# Go to '''Key Management'''
# '''Authorized Signature Database (DB)'''
#* '''Enroll DB''' > select your Flash Drive > select '''db.auth'''
#* '''Delete DB''' > delete Microsoft certificates (optional)
# '''Key Exchange Key (KEK)'''
#* '''Enroll KEK''' > select your Flash Drive > select '''KEK.auth'''
#* '''Delete KEK''' > delete Microsoft certificates (optional)
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# Go to top, '''Restart''' > '''Exit Saving Changes'''

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
# Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Disabled'''
# Select '''Clear All Secure Boot Keys'''
# Press F10 to save settings
# Reboot system and enter Alpine Linux
# Enable the [[Repositories|Community Repository]]
# Run the following commands:
{{cmd|# apk update
# apk add sbctl
# sbctl create-keys
# sbctl sign /boot/efi/Alpine/linux-lts.efi
# sbctl enroll-keys -m }}
# <li value="9"> Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Enabled'''
# Press F10 to save settings

== Resources ==

* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)

[[Category:Booting]]

UEFI Secure Boot

2023-05-14T15:16:20Z

Ziproot: /* Enrolling UEFI keys */ Fix minor typo in sbctl command to create keys

== Mounting ESP ==

Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:

{{cmd|# install -d -m 000 /boot/efi}}

Add the following line to {{path|/etc/fstab}}:

{{Cat|/etc/fstab|...
UUID{{=}}<first-partition-uuid> /boot/efi vfat rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}

Mount it:

{{cmd|# mount /boot/efi}}

== Generating own UEFI keys ==

Install package {{pkg|efi-mkkeys}}:

{{cmd|# apk add efi-mkkeys}}

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

{{cmd|# mkdir -p /etc/uefi-keys/vendor
# cd /etc/uefi-keys/vendor
# for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}

Now you can uninstall {{pkg|efi-mkkeys}} if you want:

{{cmd|# apk del efi-mkkeys}}

== Generating Unified Kernel Image ==

Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:

{{cmd|# apk add secureboot-hook efibootmgr}}

Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:

<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>

Run kernel hooks:

{{cmd|# apk fix kernel-hooks}}

Disable {{pkg|mkinitfs}} trigger:

{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}

Add boot entry:

{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

== Enrolling UEFI keys ==

Copy all *.esl, *.auth files from {{path|/etc/uefi-keys}} to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

# Reboot system and enter ThinkPad Setup (F1).
# Go to '''Security''' > '''Secure Boot'''
# Change '''Secure Boot''' to '''Enabled'''
# '''Reset to Setup Mode'''
# Go to '''Key Management'''
# '''Authorized Signature Database (DB)'''
#* '''Enroll DB''' > select your Flash Drive > select '''db.auth'''
#* '''Delete DB''' > delete Microsoft certificates (optional)
# '''Key Exchange Key (KEK)'''
#* '''Enroll KEK''' > select your Flash Drive > select '''KEK.auth'''
#* '''Delete KEK''' > delete Microsoft certificates (optional)
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# Go to top, '''Restart''' > '''Exit Saving Changes'''

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
# Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Disabled'''
# Select '''Clear All Secure Boot Keys'''
# Press F10 to save settings
# Reboot system and enter Alpine Linux
# Enable the [[Repositories|Community Repository]]
# Run the following commands:
{{cmd|# apk update
# apk add sbctl
# sbctl create-keys
# sbctl sign /boot/efi/alpine/linux-lts.efi
# sbctl enroll-keys -m }}
# <li value="9"> Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Enabled'''
# Press F10 to save settings

== Resources ==

* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)

[[Category:Booting]]

UEFI Secure Boot

2023-05-14T15:14:44Z

Ziproot: /* Enrolling UEFI keys */ Add instructions for computers like HP Pavilion laptops that cannot enroll keys through interface

== Mounting ESP ==

Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:

{{cmd|# install -d -m 000 /boot/efi}}

Add the following line to {{path|/etc/fstab}}:

{{Cat|/etc/fstab|...
UUID{{=}}<first-partition-uuid> /boot/efi vfat rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}

Mount it:

{{cmd|# mount /boot/efi}}

== Generating own UEFI keys ==

Install package {{pkg|efi-mkkeys}}:

{{cmd|# apk add efi-mkkeys}}

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

{{cmd|# mkdir -p /etc/uefi-keys/vendor
# cd /etc/uefi-keys/vendor
# for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}

Now you can uninstall {{pkg|efi-mkkeys}} if you want:

{{cmd|# apk del efi-mkkeys}}

== Generating Unified Kernel Image ==

Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:

{{cmd|# apk add secureboot-hook efibootmgr}}

Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:

<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>

Run kernel hooks:

{{cmd|# apk fix kernel-hooks}}

Disable {{pkg|mkinitfs}} trigger:

{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}

Add boot entry:

{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

== Enrolling UEFI keys ==

Copy all *.esl, *.auth files from {{path|/etc/uefi-keys}} to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

# Reboot system and enter ThinkPad Setup (F1).
# Go to '''Security''' > '''Secure Boot'''
# Change '''Secure Boot''' to '''Enabled'''
# '''Reset to Setup Mode'''
# Go to '''Key Management'''
# '''Authorized Signature Database (DB)'''
#* '''Enroll DB''' > select your Flash Drive > select '''db.auth'''
#* '''Delete DB''' > delete Microsoft certificates (optional)
# '''Key Exchange Key (KEK)'''
#* '''Enroll KEK''' > select your Flash Drive > select '''KEK.auth'''
#* '''Delete KEK''' > delete Microsoft certificates (optional)
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# Go to top, '''Restart''' > '''Exit Saving Changes'''

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
# Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Disabled'''
# Select '''Clear All Secure Boot Keys'''
# Press F10 to save settings
# Reboot system and enter Alpine Linux
# Enable the [[Repositories|Community Repository]]
# Run the following commands:
{{cmd|# apk update
# apk add sbctl
# sbctl create keys
# sbctl sign /boot/efi/alpine/linux-lts.efi
# sbctl enroll-keys -m }}
# <li value="9"> Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Enabled'''
# Press F10 to save settings

== Resources ==

* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)

[[Category:Booting]]

Wi-Fi

2023-05-13T20:11:43Z

Ziproot: /* Prerequisites */ Add note that installing the linux-firmware package tends to produce errors on data disk or diskless modes and to switch to system disk mode.

This page describes how to set up a wireless network connection with WPA encryption.

Choose a wireless daemon between {{Pkg|iwd}} and {{Pkg|wpa_supplicant}}

== Prerequisites ==

Working wireless drivers
{{Note|in most cases installing {{Pkg|linux-firmware}} should get you the required drivers. Installation of this package can produce errors on diskless or data disk modes. If such errors occur, switch to system disk mode.}}

If you are using a '''Broadcom chipset''', see the [[#Broadcom_Wi-Fi_Chipset_Users|Broadcom Wi-Fi section]].)

== iwd ==

[https://wiki.archlinux.org/title/Iwd iwd] (iNet wireless daemon) is a wireless daemon written by Intel and aiming at replacing {{Pkg|wpa_supplicant}}. The core goal of the project is to optimize resource utilization by not depending on any external libraries and instead utilizing features provided by the Linux Kernel to the maximum extent possible.

{{Pkg|iwd}} is supported since [https://alpinelinux.org/posts/Alpine-3.10.0-released.html Alpine Linux 3.10].

To get started, install {{Pkg|iwd}}:

{{Cmd|apk add iwd}}

To do anything with iwd, it has to be running:

{{Cmd|rc-service iwd start}}

If it was not running, running <code>iwctl ..</code> commands will print

The name net.connman.iwd was not provided by any .service files
Failed to retrieve IWD dbus objects, quitting...

and running just <code>iwctl</code> will say it is waiting for IWD to start.

List your available wifi device(s) (you probably have ''wlan0''):

{{Cmd|iwctl device list}}

If you don't know the SSID of your network you can run a scan and retrieve a list of all the detected networks:

{{Cmd|iwctl station wlan0 scan && iwctl station wlp8s0 get-networks}}

To connect to a network:

{{Cmd|iwctl station wlan0 connect <SSID>}}

 

{{Note|iwd automatically stores network passphrases in the /var/lib/iwd directory and uses them to auto-connect in the future. If you run diskless Alpine, make sure to include this directory to the apkovl and commit:
{{Cmd|lbu add /var/lib/iwd && lbu commit -d}}}}

{{Note|Since version 1.10, iwd supports IPv6, but it is disabled by default. To enable it, add the following to the configuration file:
{{Cat|/etc/iwd/main.conf|<nowiki>[Network]
EnableIPv6=true</nowiki>}}}}

 

Finally, configure {{Pkg|iwd}} and its dependency {{Pkg|dbus}} to start automatically on boot:
{{Cmd|rc-update add iwd boot && rc-update add dbus boot}}

 

Add a entry for the desired interface (e.g. {{Path|wlan0}}):
{{Cat|/etc/network/interfaces|auto wlan0
iface wlan0 inet dhcp}}

{{Note|You could instead use the iwd's built-in network configuration by setting {{Path|<nowiki>EnableNetworkConfiguration=true</nowiki>}} in {{Path|/etc/iwd/main.conf}}}}

 

Manually restart '''networking''':

{{Cmd|rc-service networking restart}}

 

Your wifi interface should now be up and have a dedicated IP adress:
{{Cmd|ip a show wlan0}}

 

Useful link: [https://wiki.archlinux.org/title/Iwd#Enable_built-in_network_configuration Archlinux wiki page] if you need more specific configuration.

== wpa_supplicant ==

To get started install {{Pkg|wpa_supplicant}}

{{Cmd|apk add wpa_supplicant}}

 

To list your available network interfaces:
{{Note|if you don't see any wireless interfaces (e.g. {{Path|wlan0}}), you probably need to load and/or install drivers/firmware.}}

 

{{Cmd|ip link}}
or
{{Cmd|ip a}}

 

Bring up the desired interface:
{{Cmd|ip link set wlan0 up}}

{{Note|If this errors with <code>ioctl 0x8914 failed: No error information</code>, that's <code>busybox ip</code>'s way of saying your wireless radio is rfkill'd. See the [[#Rfkill|Rfkill section]] for information on how to unblock your wireless radio.}}

 

Use this command to add your Wi-Fi network to wpa_supplicant:
{{Cmd|wpa_passphrase 'ExampleWifiSSID' 'ExampleWifiPassword' > /etc/wpa_supplicant/wpa_supplicant.conf}}
''(Access point not broadcasting its SSID requires additional line <code>scan_ssid=1</code> in the file <code>wpa_supplicant.conf</code>)''

{{Note|the Wi-Fi SSID and password are case sensitive and the single quote before and after the SSID and password need to be there}}

 

Start wpa_supplicant in the foreground to make sure the connection succeeds.
{{Cmd|wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf}}

 

If all is well, run it as a daemon in the background by setting the {{Path|-B}} option.
{{Cmd|wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf}}

 

Configure the interface with an IP address.
{{Cmd|udhcpc -i wlan0}}

Sanity check: the interface should have a {{Path|inet}} address.
{{Cmd|ip addr show wlan0}}

 

=== Automatic Configuration on System Boot ===

Add a entry for the desired interface (e.g. {{Path|wlan0}}):
{{Cat|/etc/network/interfaces|auto wlan0
iface wlan0 inet dhcp}}

{{Note|Dont remove or comment out the '''auto lo''' entry}}

Sanity check: Make sure {{Path|/etc/wpa_supplicant/wpa_supplicant.conf}} is the correct configuration for the wireless access point you want to connect to.

Bring the interface down.

{{Cmd|ip link set wlan0 down}}

 

Manually restart (or '''start''') '''networking'''.

{{Cmd|/etc/init.d/networking --quiet restart &}}

 

If all is well (feel free to confirm with the sanity checks),

Configure wpa_supplicant to start automatically on boot:

{{Cmd|# rc-update add wpa_supplicant boot}}

 

Also make sure '''networking''' is set to automatically start on boot:

{{Cmd|# rc-update add networking boot}}

 

'''Optional security precaution:'''

By default {{Pkg|wpa_supplicant}} will store your Wi-Fi password in plain text:

{{Cat|(Example) /etc/wpa_supplicant/wpa_supplicant.conf|<nowiki>network={
ssid="<YourSSIDShouldBeHere>"
#psk="<YourPasswordShouldBeHereInPlainText>"
psk=<RandomLettersAndNumbersShouldBeHere>
}</nowiki>}}

this is not necessary and {{Pkg|wpa_supplicant}} should funtion just fine without it, if you dont want your stored password in plain text just delete the line with <code>#psk="<YourPasswordShouldBeHereInPlainText>"</code> on it.

 

== Launching udhcpc through wpa_cli actions ==

{{Todo|Figure out if theses two sections are different or connected to one another}}

With the above configuration, udhcpc will only run once at boot.
If the Wifi isn't available then, or the network changes in between, it needs to be notified.
This is done through the wpa_cli action script in /etc/wpa_supplicant/wpa_cli.sh

== Automatic Reconnection when WIFI signal is lost ==
To enable automatic reconnection when wifi signal is lost add these to config:

{{Cat|/etc/wpa_supplicant/wpa_supplicant.conf|<nowiki>ap_scan=1
autoscan=periodic:10
disable_scan_offload=1
</nowiki>
}}

{{Cmd|rc-update add wpa_cli boot}}

 

== Troubleshooting ==

==== Broadcom Wi-Fi Chipset Users ====

The Broadcom chipset is quite popular among older computers. The b43 driver is included in the linux-lts or linux-edge kernel packages. However, you might need to compile the firmware manually for this chipset as it is not included in linux-firmware for some cargs.

You can check if you have a Broadcom chipset by using lspci:

{{Cmd|lspci -nn -d 14e4:}}

Now we need fwcutter:

{{Cmd|apk add b43-fwcutter}}

Now we have everything to download the proprietary driver and extract the firmware from it:

<pre>
export FIRMWARE_INSTALL_DIR="/lib/firmware"
wget http://www.lwfinger.com/b43-firmware/broadcom-wl-5.100.138.tar.bz
tar xjf broadcom-wl-5.100.138.tar.bz2
sudo b43-fwcutter -w "$FIRMWARE_INSTALL_DIR" broadcom-wl-5.100.138/linux/wl_apsta.o
</pre>

More information can be found [http://linuxwireless.sipsolutions.net/en/users/Drivers/b43/#Other_distributions_not_mentioned_above here].

Now you need to use modprobe so the device will show up:

{{Cmd|modprobe b43}}

Now continue with the normal instructions.

 

==== Rfkill ====

''See Also: [https://wiki.archlinux.org/title/Network_configuration/Wireless#Rfkill_caveat Network configuration/Wireless#Rfkill caveat - ArchLinux Wiki]''

 

Many laptops have a hardware button (or switch) to turn off wireless card, however, the card can also be blocked by kernel. This can be changed using rfkill. To show the current of your Wi-Fi:

{{Cat|(example) $ rfkill list|0: phy0: wlan
Soft blocked: no
Hard blocked: no}}

 

If the card is hard-blocked, use the hardware button or switch to unblock it. If the card is not hard-blocked but soft-blocked, use the following command:

{{Cmd|# rfkill unblock wifi}}

 

== See Also ==

* [[Installation#Post-Install|Post Install]]
* [[Alpine setup scripts]]

[[Category:Networking]]

Installation

2023-05-13T19:49:56Z

Ziproot: Add link to official guide; add warning that this guide is unofficial

[[Image:hdd_mount.png|left|link=]]
 

This page explains the basics to get started. But before actually installing, it can also help to skim through the [[Alpine_Linux:FAQ| Frequenty Asked Questions (FAQ)]].

NOTE: This is guide is unofficial. Refer to the official installation guide at [https://docs.alpinelinux.org/user-handbook/0.1a/index.html docs.alpinelinux.org].

{{Tip|This is a wiki!
If something isn't correct (anymore), or still incomplete, you will have to try figuring it out, or ask for the correct solution in the [https://alpinelinux.org/community/ community].

And then carefully edit the wiki page.

Just as those before you did it for you.
}}

== Minimal Hardware Requirements ==

* At least 100 MB of RAM. [A graphical desktop system may require up to 1 GB minimum.]
* At least 0-700 MB space on a writable storage device. [Only required in "sys" or "data" mode installations (explained below). It is optional in "diskless" mode, where it may be used to save newer data and configurations states of a running system.]

For more information please check [[Requirements]]

== Installation Overview ==

=== The general course of action ===
{{Note|For single-board-computer (SBC) architectures which can not boot .iso images, see [[Alpine_on_ARM|Alpine on ARM]] for peculiarities.}}

As usual, starting an installation procedure requires some basic steps (additional details for all the steps follow [[Installation#Basic Installation Step Details|below]]): 

# Downloading and verifying the proper [https://alpinelinux.org/downloads/ stable-release ISO installation image-file] for the computer's architecture, and the corresponding <code>sha256</code> (checksum) and <code>GPG</code> (signature) files.
# Either burning the ISO image-file onto a blank CD/DVD/Blu-ray disk with disk burning software, or flashing the installation image onto a bootable storage device (USB-device, CF-/MMC-/SD-card, floppy, ...).
# Optional boot media customization, e.g. to do the install on a headless system. With alpine, this may be done by first booting the install media either on some computer with keyboard and monitor attached or in a virtual machine, then doing an intermediate "diskless" setup of the boot media (see below), i.e. configuring the network and a ssh server and using <code>[[Alpine_local_backup|lbu commit]]</code> to save the customized setup in an apkovl file on the boot media (if it is writable, otherwise on a separate storage media).
# Booting the target computer from the prepared disk or storage device.

The boot process of the alpine installation image first copies the entire operating system into the RAM memory, and then already starts a complete Alpine Linux system from there. It will initially only provide a basic command line environment that does not depend on reading from any (possibly slow) initial boot media, anymore.

Local log-in is possible as the user <code>root</code>. Initially, the root user has no password.

At the command prompt, an interactive script named <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> is available to configure and install the initial Alpine Linux system.

The question-and-answer dialog of <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> takes care of the base configuration and allows to configure the system to
boot into one of three different '''Alpine Linux disk modes''': '''"diskless"''', '''"data"''', or '''"sys"'''.

These modes are explained in more detail in the following subsections.

{{Note|It can be helpful to know that it is possible to first only complete a base configuration of the initial "diskless" installation system in order to to prepare the system. For example, to download and install some specific driver or software tool. And then use more specific [[Alpine_setup_scripts|setup-scripts]] afterwards, to proceed with the final installation. The base configuration of the "diskless" system may be completed by running <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> and answering "none" when asked for the disk to use, and where to store configs, as well as for the location for the package cache.

Examples of preparation options:

* Preparing a custom partitioning or filesystem scheme that avoids to use and/or overwrite an entire disk ([[Installation#Custom_partitioning_of_the_harddisk|details below]]).
* Installing something that may be missing in the live system to configure the hardware, e.g. by using the alpine package manager <code>[[Alpine_Package_Keeper|apk]]</code>.

Examples of proceeding options:

* <code>[[Alpine_setup_scripts#setup-lbu|setup-lbu]]</code> to configure a "local backup" location for the diskless system, and <code>[[Alpine_local_backup|lbu commit]]</code> to then save the local configuration state.
* <code>[[Alpine_setup_scripts#setup-apkcache|setup-apkcache]]</code> to configure a local package cache storage location.
* <code>[[Alpine_setup_scripts#setup-disk|setup-disk]]</code> to add a "data" mode partition, or do a classic full install of the "diskless" system onto a "sys" disk or partition.

There are many more [[Alpine_setup_scripts|setup-scripts]] available. All these tools may also be run later to adjust specific configurations. For example, to set up a graphical environment as covered under [[Installation#Post-Installation|Post-Installation]] below.
}}

==='''Diskless Mode'''===
This means the entire operating system with all applications are first loaded into RAM and then only run from there. This is the method already used to boot the .iso installation images, however <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> can also configure the installed system to continue to boot like this if "disk=none" is specified. The mode is extremely fast and can save on unnecessary disk spin-ups, power, and wear. It is similar to what other linux distributions may call a "frugal" install or boot into with a "toram" option.

Custom configurations and package installations may optionally still be preserved or "persist" across reboots by using the Alpine local backup tool <code>[[Alpine_local_backup|lbu]]</code>. It enables committing and reverting system states by using .apkovl files that are saved to writable storage and loaded when booting. If additional or updated packages have been added to the system, these may also be made available for automatic (re)installation during the boot phase without any (re)downloading, by enabling a [[Alpine_Package_Keeper#Local_Cache|local package cache]] on the writable storage.

[[https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10473 FIXME-1]: Storing local configs and the package cache on an ''internal'' disk still requires [[Alpine_local_backup#Saving_and_loading_ISO_image_customizations|some manual steps]] to have the partition listed, i.e. making a /etc/fstab entry, mountpoint, and mount, *before* running setup-alpine. The linked workaround also still requires to commit these configurations to disk manually before rebooting.]

If a writable partition is available, <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> can be told to store the configs and the package cache on that writable partition. (Later, another directory on that same partition or another available partition may also be mounted as /home, or for example, for selected important applications to keep their run-time and user data on it.)

The boot device of the newly configured local "diskless" system may remain the initial (and possibly read-only) installation media. But it is also possible to copy the boot system to a partition (e.g. /dev/sdXY) with <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>.

==='''Data Disk Mode'''===
This mode also runs from system RAM, thus it enjoys the same accelerated operation speed as "diskless" mode. However, swap storage and the entire {{Path|/var}} directory tree get mounted from a persistent storage device (two newly created partitions). The directory {{Path|/var}} holds e.g. all log files, mailspools, databases, etc., as well as <code>[[Alpine_local_backup|lbu]]</code> backup commits and the package cache. This mode is useful for having RAM accelerated servers with variable amounts of user-data that exceed the available RAM size. It enables the entire current system state (not just the boot state) to survive a system crash in accordance with the particular filesystem guarantees.

[[https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10474 FIXME-2]]: Setup-alpine will create the data partition and mount it as /var, but can not yet configure lbu storage settings automatically. It is currently necessary to select "none" at the 'where to store configs' prompt (the new data partition is not listed) and configure lbu manually, i.e. after running <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> and before rebooting:

# Identify the created data partition, e.g. <code>/dev/sd''XY''</code>, and its filesystemtype, e.g. using <code>''lsblk''</code>
# Manually edit the lbu backups location in <code>/etc/lbu/lbu.conf</code> and configure <code>LBU_MEDIA=sd''XY''</code> (according to previous findings).
# Save the configuration on that partition for the next boot with <code>lbu commit</code>.
# If (a new) partition fails to get mounted, execute: <code>mkdir /media/''sdXY'' ; echo "/dev/sd''XY'' /media/sd''XY'' ''fstype'' noauto,rw 0 0" >> /etc/fstab</code>, and try <code>lbu commit</code> again.

In data disk mode, the boot device may also remain the initial (and possibly read-only) installation media, or be copied to a partition (e.g. /dev/sdXY) with <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>.

==='''System Disk Mode'''===
This is a traditional hard-disk install.

If this mode is selected, the <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> script creates three partitions on the selected storage device, {{Path|/boot}}, {{Path|swap}} and {{Path|/}} (the filesystem root). This mode may, for example, be used for generic [[:Category:Desktop|desktop]] and development machines.

For custom partitioning, see [[Setting up disks manually]].

To install along side another operating systems, see [[Dualbooting]].

== Basic Installation Step Details ==

{{Expand| }}

This "Additional Details" section needs to be consolidated with the work at '''[https://docs.alpinelinux.org https://docs.alpinelinux.org] (not finished)'''
(Restructuring things there, moving and linking from here or there?).

=== Verifying the downloaded image-file ===

{| class="wikitable" style="width:95%; align=center"
|+ Commands to verify the checksum and GPG signature of a downloaded image-file on different systems.
|-
! width=100px | OS type
! <code>SHA256</code> check !! <code>SHA256</code> calculation (to be compared manually) !! <code>GPG</code> signature verification
|-
! Linux
| <code>sha256sum -c alpine-*.iso.sha256</code> || || <code>curl https://alpinelinux.org/keys/ncopa.asc | gpg --import ;</code>
<code> gpg --verify alpine-<version>.iso.asc alpine-<version>.iso</code>
|-
! MACOS
| - ? - || <code>shasum -a 256 alpine-*.iso</code> || - ? -
|-
! OpenBSD
| <code>sha256 -C alpine-*.sha256 alpine-*.iso</code> || || <code>doas pkg_add gnupg;
ftp -o - https://alpinelinux.org/keys/ncopa.asc | gpg --import ;
gpg --verify alpine-<version>.iso.asc alpine-<version>.iso</code>
|-
! FreeBSD
| - ? - || <code>/usr/local/bin/shasum -a 256 alpine-*.iso</code> || - ? -
|-
! NetBSD
| - ? - || <code>/usr/local/bin/shasum -a 256 alpine-*.iso</code> || - ? -
|-
! Windows (PowerShell installed)
| - ? - || <code>Get-FileHash .\alpine-<image-version>.iso -Algorithm SHA256</code> || - ? -
|}

=== Flashing (direct data writing) the installation image-file onto a device or media ===

==== Unix/Linux ====

Under Unix (and thus Linux), "everything is a file" and the data in the image-file can be written to a device or media with the <code>dd</code> command. Afterward, executing the <code>eject</code> command removes the target device from the system and ensures the write cache is completely flushed.

dd if=<iso-file-to-read-in> of=<target-device-node-to-write-out-to> bs=4M oflag=sync status=progress; eject <target-device-node-to-write-to>

Be careful to correctly identify the target device as any data on it '''will''' be lost! All connected "bulk storage devices" can be listed with <code><nowiki>lsblk</nowiki></code> and <code><nowiki>blkid</nowiki></code>.

# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdX 0:0 0 64,0G 0 disk
├─sdX1 0:1 0 2G 0 part
└─sdX2 0:2 0 30G 0 part /mnt/sdX2

# blkid
/dev/sdX1: LABEL="some" UUID="..." TYPE="vfat"
/dev/sdX2: LABEL="other" UUID="..." TYPE="ext4"

For example, if /dev/sdX is the desired target device, first make sure you un-mount all mounted partitions of the target device. For example sdX1 and sdX2:

umount /dev/sdX1 /dev/sdX2

For <code>dd</code>'s output-file (<code>of=</code>), however, do '''not''' specify a partition number. For example, write to sdX, '''not''' sdX1:

Warning: '''This will overwrite the target device /dev/sdX''', so before executing, make sure you have a backup of the data if you can't afford to lose it.

dd if=~/Downloads/alpine-standard-3.00.0-x86_64.iso of=/dev/sdX bs=4M oflag=sync status=progress; eject /dev/sdX

==== Windows ====

For example, there is the [https://rufus.ie/ Rufus] program. Rufus will enable you to create bootable USB flash drives under Windows.

Rufus has been tested and works for Alpine Linux 3.12.x with the following settings:
* '''Partition scheme''': <code>MBR</code>
* '''Target system''': <code>BIOS or UEFI</code>
* '''File system''': <code>FAT32</code>
* '''Cluster size''': <code>4096 bytes (default)</code>

=== Verifying the written installation media ===

After detaching and re-attaching the device, a bit-wise comparison can verify the data written to the device (instead of just data buffered in RAM). If the comparison terminates with an end-of-file error on the .iso file side, all the contents from the image have been written (and re-read) successfully:

# cmp ~/Downloads/alpine-standard-3.00.0-x86_64.iso /dev/sdX
cmp: EOF on alpine-standard-3.00.0-x86_64.iso

=== Booting from external devices ===

Insert the boot media to a proper drive or port of the computer and turn the machine on, or restart it, if already running.

If the computer does not automatically boot from the desired device, one needs to bring up the boot menu and choose the media to boot from. Depending on the computer, the menu may be accessed by repeatedly pressing a key quickly when booting starts. Some computers require that you press the button ''before'' starting the computer and hold it down while the computer boots. Typical keys are: `F9`-`F12`, sometimes `F7` or `F8`. If these don't bring up the boot menu, it may be necessary to enter the BIOS configuration and adjust the boot settings, for which typical keys are: `Del.` `F1` `F2` `F6` or `Esc.`

=== Custom partitioning of the harddisk ===

It is possible to specify configurations for RAID, encryption, LVM, etc. as well as manual partitioning.

For "diskless" or "data disk" mode installs, manual partitioning may be needed to prepare the harddisk for committing local backups of the system state with <code>[[Alpine_local_backup|lbu commit]]</code>, to have a place for a package cache, or to use it for a /var mount.

For a "sys" install, custom partitioning is needed only if the desired scheme differs from overwriting an entire disk, or using the default set of a /boot, swap and root partition on the disk.

See [[Setting up disks manually]] for the alpine options for RAID, encryption, LVM, etc. and manual partitioning.

=== Questions asked by <code>setup-alpine</code> ===
[[File:Installation-alpine-alpine-setup-3-setup-scripts.png|350px|thumb|right|Example <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> session]]

The <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> script offers the following configuration options:

* '''Keyboard Layout''' (Local keyboard language and usage mode, e.g. ''us'' and variant of ''us-nodeadkeys''.)
* '''Hostname''' (The name for the computer.)
* '''Network''' (For example, automatic IP address discovery with the "DHCP" protocol.)
* '''DNS Servers''' (Domain Name Servers to query. For privacy reasons it is NOT recommended to route every local request to servers like google's <s>8.8.8.8</s> .)
* '''Timezone'''
* '''Proxy''' (Proxy server to use for accessing the web. Use "none" for direct connections to the internet.)
* '''Mirror''' (From where to download packages. Choose the organization you trust giving your usage patterns to.)
* '''SSH''' (Secure SHell remote access server. "Openssh" is part of the default install image. Use "none" to disable remote login, e.g. on laptops.)
* '''NTP''' (Network Time Protocol client used for keeping the system clock in sync with a time server. Package "chrony" is part of the default install image.)
* '''Disk Mode''' (Select between diskless (disk="none"), "data" or "sys", as described above.)
{{Warning|The data on a chosen device will be overwritten!}}

=== Preparing for the first boot ===

If <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> has finished configuring the "sys" disk mode, the system should be ready to reboot right away (see next subsection).

If the new local system was configured to run in "diskless" or "data" mode, and you do not want keep booting from the initial (and possibly read-only) installation media, the boot system needs to be copied to another device or partition.

The target partition may be identified using <code><nowiki>lsblk</nowiki></code> (after installing it with <code>apk add lsblk</code>) and/or <code>blkid</code>, similar to previously identifying the initial installation media device.

The procedure to copy the boot system is explained at <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>

Once everything is in place, save your customized configuration with <code>lbu commit</code> before rebooting.

=== Rebooting and testing the new system ===

First, remove the initial installation media from the boot drive, or detach it from the port it's connected to.

The system may now be power-cycled or rebooted to confirm everything is working correctly.

The relevant commands for this are <code>poweroff</code> or <code>reboot</code>.

=== Completing the installation ===

The installation script installs only the base operating system. '''No''' applications e.g. web server, mail server, desktop environment, or web browser are installed, and <code>root</code> is the only user.

Please look under [[Installation#Post-Installation|Post-Installation]] below, for some common things to do after installation.

= Further Installation Instructions =

{{Note| Specific topics should be kept on separate, individually manageable topic-pages and only get listed with a direct reference (link) on this general page.}}

=== Installation ===

* [[Kernels]] ''(kernel selection, e.g. for VMs or RPi)''
* [[How to make a custom ISO image with mkimage]] ''(installation media with its own configuration)''
* [[Directly booting an ISO file]] ''(without flashing it to a disk or device)''
* [[Dualbooting|Dual/multi-boot install to HDD partition]]
* [[Netboot Alpine Linux using iPXE]]
Also see other [[:Category:Installation|Installation Category]] pages.

=== Post-Installation ===



* [[Setting up a new user]] ''(to allow remote, console, or graphical logins)''
* [[Tutorials_and_Howtos#Networking_2|Setting up Networking]] ''(including non-standard configurations)''
* [[Alpine_Package_Keeper|Package Management (apk)]] ''(how to search/add/del packages etc.)''
** [[Alpine_Package_Keeper#Upgrade_a_Running_System|Upgrading Alpine]] ''(checking for and installing updates)''
** [[Repositories#Managing_repositories|Enable the community repository]] ''(access to additional packages)''
* [[Alpine_Linux:FAQ#Why_don.27t_I_have_man_pages_or_where_is_the_.27man.27_command.3F|man command/man pages]]
* [[Change default shell]]
* [[Running glibc programs]] ''(installation and development)''
 

* [[Alpine_local_backup|Local backup utility <code>lbu</code>]] ''(persisting RAM system configurations)''
** [[Back Up a Flash Memory Installation]] ''("diskless mode" systems)''
** [[Manually_editing_a_existing_apkovl]] ''(the stored custom configs)''
 

* [[OpenRC|Init System (OpenRC)]] ''(configure a service to automatically boot at next reboot)''
** [[Writing Init Scripts]]
** [[Multiple Instances of Services]]
 

* [[Alpine setup scripts#setup-xorg-base|<code>setup-xorg-base</code>]] ''(setup graphical base environment)''
** [[Tutorials_and_Howtos#Desktop|Desktop Environments]]
 

* [[Hosting services on Alpine]] ''(links to several mail/web/ssh server setup pages)''
 

* [[How to get regular stuff working]] ''(things one may miss in a too lightweight installation )''
* Running applications and services in their own [[Firejail Security Sandbox]]

=== Broader Usage Guides ===

* See: [[Tutorials and Howtos]]

= General Documentation =

{{Tip| Alpine Linux packages stay close to the upstream design. Therefore, all upstream documentation about configuring a software package, as well as good configuration guides from other distributions that stay close to upstream, e.g. those in the [https://wiki.archlinux.org/ ArchWiki], are to a large degree, also applicable to configuring the software on Alpine Linux, thus can be very useful.}}

* [[Alpine_Linux:FAQ|FAQs]]
* [[Alpine_Linux:Contribute|How to Contribute]]
* [[:Category_talk:Developer_Documentation|Developer Documentation]]
* [[Alpine_Linux:Wiki_etiquette|Wiki etiquette]] ''(to collaborate on this documentation)''
* [[Comparison with other distros]] ''(how common things are done on Alpine)''

----
[[Category:Installation]]