Create UEFI secureboot USB: Difference between revisions
Prabuanand (talk | contribs) m (removed the link to Create UEFI boot USB page) |
|||
(12 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with | This article explains how to create an [[UEFI]] boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with Alpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time. | ||
In this example we will use {{Path|/dev/sdX}} and $HOME. This will be different depending on your system. Substitute the paths in the examples below as necessary. | In this example we will use {{Path|/dev/sdX}} and $HOME. This will be different depending on your system. Substitute the paths in the examples below as necessary. | ||
Line 34: | Line 34: | ||
== Download and install rEFInd == | == Download and install rEFInd == | ||
Download the binary zip file of rEFInd from | Download the binary zip file of rEFInd from https://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip. There may be a more recent version of rEFInd available when you download. | ||
{{Cmd | cd /mnt/efi/boot | {{Cmd | cd /mnt/efi/boot | ||
Line 42: | Line 42: | ||
== Copy signed shim == | == Copy signed shim == | ||
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary. | Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz{{dead link}}. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary. | ||
{{Cmd | cd /mnt/efi/boot | {{Cmd | cd /mnt/efi/boot | ||
gunzip -c /path/to | gunzip -c /path/to/shim-signed-0.2.tgz | tar x --strip-components{{=}}1 --no-same-owner}} | ||
== Install Shim and Certificate == | == Install Shim and Certificate == | ||
{{Cmd | cp $HOME/alpine_local.cer /mnt/ | {{Cmd | cp $HOME/alpine_local.cer /mnt/efi/boot | ||
cp /mnt/efi/boot/refind_x64.efi /mnt/efi/boot/grubx64.efi | |||
cp /mnt/efi/boot/shim.efi /mnt/efi/boot/bootx64.efi }} | |||
== Sign the Bootloader and kernel with your key == | == Sign the Bootloader and kernel with your key == | ||
{{Cmd | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt grubx64.efi | {{Cmd | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/efi/boot/grubx64.efi | ||
mv grubx64.efi.signed | mv /mnt/efi/boot/grubx64.efi.signed /mnt/efi/boot/grubx64.efi | ||
sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/boot/vmlinuz-vanilla | |||
sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt vmlinuz-vanilla | mv /mnt/boot/vmlinuz-vanilla.signed /mnt/boot/vmlinuz-vanilla}} | ||
mv vmlinuz-vanilla.signed vmlinuz-vanilla}} | |||
== Unmount the partition == | == Unmount the partition == | ||
Line 64: | Line 62: | ||
{{Cmd | cd ~ && umount /mnt}} | {{Cmd | cd ~ && umount /mnt}} | ||
[[Category:Installation]] | == Install the Keys and Enroll Hash == | ||
Insert the USB into the target PC and boot. When prompted select to enroll key, navigate to alpine_local.cer and add it. Then select enroll hash navigate to efi/boot/grubx64.efi select it and add the hash. Now reboot and given a bit of luck it should launch alpine. This step is a bit more complex than it needs to be due to the binary distribution of refind already being signed by the authors key. Once rEFInd is packaged it should simplify this step. | |||
[[Category:Installation]] [[Category:UEFI]] |
Latest revision as of 03:40, 30 December 2024
This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with Alpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.
In this example we will use /dev/sdX and $HOME. This will be different depending on your system. Substitute the paths in the examples below as necessary.
Create GPT boot partition
Install parted
apk add parted
Create a single UEFI boot partitions.
parted --script /dev/sdX mklabel gpt parted --script --align=optimal /dev/sdX mkpart ESP fat32 1MiB 100% parted --script /dev/sdX set 1 boot on
Create fat32 filesystem
Create a fat32 system with the name `Alpine`.
mkfs.vfat -n ALPINE /dev/sdX1
Copy content of ISO image to filesystem
It is possible to mount the iso image and copy files with cp or rsync and it is also possible to use 7z to extract content from the iso. In this example I will use the uniso utility from alpine-conf package.
mount -t vfat /dev/sdX1 /mnt cd /mnt uniso < /path/to/alpine-3.8.2-x86_64.iso
Create MOK Key
openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN=Alpine Local CA/" openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER
Download and install rEFInd
Download the binary zip file of rEFInd from https://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip. There may be a more recent version of rEFInd available when you download.
cd /mnt/efi/boot unzip /path/to/refind-bin-0.11.4.zip mv refind-bin-0.11.4/refind/* . rm -rf refind-bin-0.11.4
Copy signed shim
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz[Dead Link]. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary.
cd /mnt/efi/boot gunzip -c /path/to/shim-signed-0.2.tgz | tar x --strip-components=1 --no-same-owner
Install Shim and Certificate
cp $HOME/alpine_local.cer /mnt/efi/boot cp /mnt/efi/boot/refind_x64.efi /mnt/efi/boot/grubx64.efi cp /mnt/efi/boot/shim.efi /mnt/efi/boot/bootx64.efi
Sign the Bootloader and kernel with your key
sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/efi/boot/grubx64.efi mv /mnt/efi/boot/grubx64.efi.signed /mnt/efi/boot/grubx64.efi sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/boot/vmlinuz-vanilla mv /mnt/boot/vmlinuz-vanilla.signed /mnt/boot/vmlinuz-vanilla
Unmount the partition
Finally umount the disk
cd ~ && umount /mnt
Install the Keys and Enroll Hash
Insert the USB into the target PC and boot. When prompted select to enroll key, navigate to alpine_local.cer and add it. Then select enroll hash navigate to efi/boot/grubx64.efi select it and add the hash. Now reboot and given a bit of luck it should launch alpine. This step is a bit more complex than it needs to be due to the binary distribution of refind already being signed by the authors key. Once rEFInd is packaged it should simplify this step.