UEFI: Difference between revisions

From Alpine Linux
(links all the related boot media manuals and pages from UEFI and BIOS wiki page)
(removed outdated information, reduced redundant information added links to see also section)
 
(45 intermediate revisions by 11 users not shown)
Line 1: Line 1:
{{TOC right}}
Unified Extensible Firmware Interface (UEFI) is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. This page documents how Alpine Linux works with devices using UEFI firmware.


'''What is UEFI? A new (relatively) firmware system (almost mini OS embebed), for computers that manages the early boot process'''
{{Todo|This article is written with a PC-centric (i686+x86_64) point of view. Help making this article more applicable to other UEFI Architectures, particularly ARM, would be greatly appreciated.}}


''When something new comes.. all the bad things become good and news become bad!''
== Disk layout for UEFI ==
Alpine Linux requires a root partition, but on UEFI systems an EFI System Partition(ESP) is also required. The EFI System Partition must contain a bootloader program in {{path|\EFI\$bootloader.efi}}.{{citation needed}}


Now it's on regular home/office made computers and some ARM server boards. It's a huge bloated mess of a spec due manufacturers try to include many things with the [https://en.wikipedia.org/wiki/Unified_EFI_Forum UEFI Forum org]!
Regular UEFI boot has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. These boot entries can be viewed and edited with <Code>efibootmgr</Code> utility available in the {{pkg|efibootmgr}} package.


The problem it's doesn't matter. It's what we have. Learn it or become obsolete. Please continue reading this page for complete technical info about UEFI status on Alpine Linux or proceed with following topics:
The correct way for this to work when booting off local disk is for a boot variable to point to a vendor-specific bootloader program in <code>\EFI\$bootloader.efi</code> on the EFI System Partition (ESP), a specially tagged partition.


* [[Alpine_and_UEFI#Alpine_UEFI_support|Alpine and UEFI]]
The recommended filesystem format for your EFI System Partition (ESP) is '''vfat''' (i.e. FAT16 or FAT32). The '''root partition''', and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading.
* [[Create a Bootable Compact Flash]]
* [[Create a bootable SDHC from a Mac]]
* [[Create a Bootable USB]]
* [[Create UEFI boot USB]]
* [[Create UEFI seureboot USB]]


= UEFI and BIOS definitions and introduction =
=== UEFI/GPT minimal layout ===
 
In the old days, BIOS (for '''B'''asic '''I'''nput '''O'''utput '''S'''ystem) was how computers booted from the 1980s onwards. But now in newer hardware for laptops and desktops computers the UEFI (for '''U'''nified '''E'''xtensible '''F'''irmware '''I'''nterface) defines a software interface between an operating system and platform firmware into the vendor hardware.
 
== What that's means? ==
 
UEFI replaces the BIOS firmware interface originally present in all IBM PC-compatible personal computers, early modern computer's UEFI firmware implementations provide legacy support for BIOS services.
 
== Why change, why more complications? ==
 
Stupid companies.. due stupid is booting Windows from drives bigger than 2TB (something that linux can just do easyle due partitioning and boot management). But really, the issue is about 16-bit processors.
 
== All the system included 16-bit CPU inside? with UEFI will be pure 64-bit ==
 
As example: a top of the range Skylake i7-6700k still has an 80286 embedded in it - for the people who insist on using BIOS. Indeed. But BIOS strictly only supports 16-bit 8088-derivative processors.
 
All of this crap are just due redmon's company operating system limitations in fact! due intel, amd and others can easyle provide for many more years an 80286 embedded in each processor
 
== The history so far ==
 
Due newer incoming 64-bit incoming processors the older computers boot process are not more possible. It started life on Itanium (Intel's first 64-bit processor) systems. Itanium had no support for 32-bit, and certainly no embedded 80286, so they had to come up with a different system.
 
Intel developed the original Extensible Firmware Interface (EFI) specification. Some of the EFI's practices and data formats mirror those from Microsoft Windows.[4][5] In 2005, UEFI deprecated EFI 1.10 (the final release of EFI). The Unified EFI Forum is the industry body that manages the UEFI specification.
 
= Alpine UEFI support =
 
The '''support for
[https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] was started in the [https://alpinelinux.org/posts/Alpine-3.7.0-released.html Alpine 3.7.0 new mayor release]''', preliminary support in that version does not create the
[https://en.wikipedia.org/wiki/EFI_system_partition EFI Partition], only has support for existing ones or manually created.
 
Started '''in the [https://alpinelinux.org/posts/Alpine-3.8.0-released.html Alpine 3.8.0 new mayor release] support in the installer for the GRUB boot loader was added''' so now Linux experimental users can play with combinations of solutions and proper
[https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI] complete installations. Please refer to [[Alpine_and_UEFI#UEFI_and_BIOS|UEFI_and_BIOS section of this page]] first.
 
[https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#EFI_system_partition EFI System Partition] are not the complete overall of the [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI], it's just the need minimal infrastructure to property boot by and [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Implementation_and_adoption UEFI modern machine].
 
Please read carefully the [[Alpine_and_UEFI#UEFI_and_BIOS|UEFI_and_BIOS section of this page]] that was made with new user landing words to easy understanding.
 
== Minimum Alpine partition sheme ==
 
Alpine Linux only require a root partition for system and a swap partition, but, UEFI systems require an EFI system partition also.
 
== Notes about the boot flags and boot partition ==
 
UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.
 
A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. The partition has nothing to do and it must not be formatted with a file system or mounted.
 
== Alpine disk layout for UEFI ==
 
You will need a disk layout that your system firmware is capable of booting, you '''will need a boot partition and a root partition'''. Other architectures may have different requirements.
 
The '''boot partition should generally be formatted ext2''' unless you have specific requirements. The '''root partition, and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading'''.
 
==== UEFI/GPT minimal layout ====


{| class="wikitable"
{| class="wikitable"
Line 74: Line 19:
! Partition
! Partition
! Partition type Purpose
! Partition type Purpose
! Recommended size
! Recommended minimum size
|-
|-
| /boot or /efi
| /boot or /efi or /boot/efi
| /dev/sda1
| /dev/sda1
| Boot system partition for EFI
| EFI system partition
| 260 MiB
| 260 MiB
|-
|-
Line 85: Line 30:
| Alpine Linux root system OS
| Alpine Linux root system OS
| 1–32 GiB
| 1–32 GiB
|-
| none
| /dev/sda3
| Linux swap memory
| 1-2Gb
|}
|}
=== BIOS layouts ===


==== BIOS/MBR minimal layout ====
==== BIOS/MBR minimal layout ====
UEFI replaced the BIOS that was present in the boot ROM of all personal computers that are IBM PC compatible. UEFI provide backwards compatibility with the BIOS using CSM booting.


{| class="wikitable"
{| class="wikitable"
Line 98: Line 41:
! Partition
! Partition
! Partition type Purpose
! Partition type Purpose
! Recommended size
! Recommended minimum size
|-
|-
| /boot
| /boot
Line 109: Line 52:
| Alpine Linux root system OS
| Alpine Linux root system OS
| 1–32 GiB
| 1–32 GiB
|-
| none
| /dev/sda3
| Linux swap memory
| 1-2Gb
|}
|}


Line 122: Line 60:
! Partition
! Partition
! Partition type Purpose
! Partition type Purpose
! Recommended size
! Recommended minimum size
|-
|-
| None
| None
Line 133: Line 71:
| Alpine Linux root system OS
| Alpine Linux root system OS
| 1–32 GiB
| 1–32 GiB
|-
 
| none
| /dev/sda3
| Linux swap memory
| 1-2Gb
|}
|}


== See Also ==
=== Boot flags and boot partition ===


* [[Alpine_newbie_install_manual|Alpine Installation]]
UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.
* [[Create a Bootable Compact Flash]]
* [[Create a bootable SDHC from a Mac]]
* [[Create a Bootable USB]]
* [[Create UEFI boot USB]]
* [[Create UEFI seureboot USB]]
 
= BIOS boot process for newbies =
 
BIOS only supports two methods of booting - loading 448ish bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk
 
BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader. Messy messy. There's also the 2TB issue I mentioned before
 
In order to make your drive more useful, it's split up into partitions - chunks of disk which can be treated as independent drives from inside your OS. Ruindows (following on from MS-DOS) only supports one method for partitioning its boot drive on BIOS systems: "MBR"
 
MBR cannot handle numbers bigger than 2,199,023,255,552. It is impossible to talk about any drive beyond 2TB using MBR layout. So if you're booting from it and use BIOS, you MUST use MBR (because that's all Windows supports) - and you simply can't use any space beyond that if your boot drive is 3TB or bigger.
 
For now. Ish. Any modern motherboard (some 2011 onwards, all with a Ruindows 8 logo on the box) is using UEFI natively, but most can emulate BIOS enough for you to keep booting with BIOS.
 
== How to choose BIOS Boot options media ==


WIP due we nee a very easy way to tell this
A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. This partition must not be formatted with a file system or mounted.


= UEFI boot process for newbies.. i mean for complications =
== Boot process ==
=== BIOS boot process ===


Well, let's start with installers. It'll read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it. An app, written in the UEFI "OS". It can be anything! Here's classic text adventure Zork, as a UEFI app.
BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk.


It's possible to make boot media which is valid for both UEFI and BIOS. Unfortunately, in a slightly user-unfriendly twist, you (the user) need to pick the right boot entry. For example, on the wife's PC, a USB stick gets listed as both "UEFI: Sandisk Cruzer Edge" and "USB: Sandisk Cruzer Edge". Just... make sure you pick the right entry. It's impossible to change mode after this point.
BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader.  


It uses a different partitioning system called GPT instead of MBR, and secondly it creates an extra ~100 meg partition called the "EFI System Partition" - a FAT32 partition where the boot loader apps get installed to (no more boot sectors).
MBR cannot handle disks larger than 2 TiB (2<sup>32</sup> × 512 bytes). Therefore, it is impossible to use any drive space beyond 2 TiB using MBR layout. So if you're booting from it and use BIOS, you MUST use MBR - and you simply can't use any space beyond that if your boot drive is 2TB or bigger.


Each OS will stick its boot loader somewhere in the ESP, then send a signal to the firmware to write this new loader's location into the CMOS. Each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot. This is why you don't do the old "unplug drive A when installing a different OS to drive B" thing, or swap cables, or anything like that. You should only have one ESP, the one on drive A.  
Modern motherboards (since approximately 2011 onwards) are using UEFI natively, but most can emulate BIOS through the CSM (Compatibility Support Module) to maintain support for BIOS-style booting.


== What's this infamous "secure boot" ==
=== UEFI boot process ===


It's a way for your motherboard to prevent tampering of your OS (e.g. boot-sector viruses, or backdoors installed without your knowledge .. umm suuureeeee). You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmwares like your GPU BIOS) are signed with a trusted key.
UEFI firmware can read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it.  


It stops you booting "untrusted stuff" (suuuurrreeee). So you can sign your own crap, and trust the certificate you used to do that signing. Or you can get your crap signed by Microsoft - every motherboard has a small list of pre-trusted certificates which includes Microsoft's cert, which they'll let anyone use for a small fee.
UEFI uses a partitioning system called GPT instead of MBR, and needs a partition called "EFI System Partition" (ESP) - a FAT32 partition where the boot loader apps get installed to.  


== How to boot older things? ==
Each OS will stick its boot loader somewhere in the ESP and each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot.


Must be disable the Secure Boot, but that option will not remains forever.
== Secure boot ==
{{Main|UEFI Secure Boot}}


= Overall notes and conclusions =
When the device is powered ON, secure boot checks the digital signatures of the bootloader and operating system. If the signatures are valid and match the trusted keys stored in the system, the boot process continues. If not, secure boot halts the process to protect against tampering. You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmware like your GPU BIOS) are signed with a trusted key. It works using cryptographic checksums and signatures. It stops your system from booting unsigned code. You can sign your own, and trust the certificate you used to do that signing.


UEFI is buggy due Motherboard manufacturers dont implement property the specs, and hire the cheapest developers to work for them, so problems will come so far!
Almost all new computer systems  i.e every motherboard has a small list of pre-trusted certificates which almost (always) includes Microsoft's certificates, which they currently let anyone use for a small fee. This is due to Microsoft's actions as a Certification Authority (CA) for Secure Boot. They sign programs/bootloaders on behalf of other trusted organizations so that their programs will run, but at a cost.


BIOS has been around a couple of decades longer, so has a couple of decades of extra bug fixing applied. Problems exist but with solutions!
Alpine Linux does not have a certificate which some other Linux distributions (mostly enterprise-related) have. This means that on new computer systems, users have to first ''' disable Secure Boot to be able to install Alpine Linux'''.


It's not malice, it's incompetence. But the solution isn't sticking with BIOS - it's learning a new set of workarounds.
{{Tip|''' Disable Secure Boot in UEFI''' firmware to be able to [[Installation|install]] Alpine Linux. Refer [[UEFI_Secure_Boot|Secure boot]] page for enabling it after Alpine Linux is installed.}}


= See Also =
Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates from motherboard manufacturers which can run before operating system startup (like <Code>fwupdate/fwupd</Code>), and other utilities may live here too.


* [[Newbie_Alpine_Ecosystem]]
== See also ==
* [[Alpine_newbie_install_manual|Alpine Installation]]
* [[Create a Bootable Compact Flash]]
* [[Create a bootable SDHC from a Mac]]
* [[Create a Bootable USB]]
* [[Create UEFI boot USB]]
* [[Create UEFI seureboot USB]]


[[Category:Newbie]]
* [[UEFI_Secure_Boot|How to enable secure boot]]
[[Category:Installation]]
* [[Bootloaders]]
* [[Create UEFI secureboot USB]]
* [[Setting_up_disks_manually#Manual_partitioning | Manual partitioning]]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface UEFI - Archwiki]
* [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition - Wikipedia]  
[[Category:Installation]][[Category:UEFI]]

Latest revision as of 15:11, 30 December 2024

Unified Extensible Firmware Interface (UEFI) is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. This page documents how Alpine Linux works with devices using UEFI firmware.

Todo: This article is written with a PC-centric (i686+x86_64) point of view. Help making this article more applicable to other UEFI Architectures, particularly ARM, would be greatly appreciated.


Disk layout for UEFI

Alpine Linux requires a root partition, but on UEFI systems an EFI System Partition(ESP) is also required. The EFI System Partition must contain a bootloader program in \EFI\$bootloader.efi. [citation needed]

Regular UEFI boot has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. These boot entries can be viewed and edited with efibootmgr utility available in the efibootmgr package.

The correct way for this to work when booting off local disk is for a boot variable to point to a vendor-specific bootloader program in \EFI\$bootloader.efi on the EFI System Partition (ESP), a specially tagged partition.

The recommended filesystem format for your EFI System Partition (ESP) is vfat (i.e. FAT16 or FAT32). The root partition, and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading.

UEFI/GPT minimal layout

Mount point Partition Partition type Purpose Recommended minimum size
/boot or /efi or /boot/efi /dev/sda1 EFI system partition 260 MiB
/ /dev/sda2 Alpine Linux root system OS 1–32 GiB

BIOS layouts

BIOS/MBR minimal layout

UEFI replaced the BIOS that was present in the boot ROM of all personal computers that are IBM PC compatible. UEFI provide backwards compatibility with the BIOS using CSM booting.

Mount point Partition Partition type Purpose Recommended minimum size
/boot /dev/sda1 Boot grub partition (optional) 100 MiB
/ /dev/sda2 Alpine Linux root system OS 1–32 GiB

BIOS/GPT minimal layout

Mount point Partition Partition type Purpose Recommended minimum size
None /dev/sda1 BIOS boot partition 8 MiB
/ /dev/sda2 Alpine Linux root system OS 1–32 GiB

Boot flags and boot partition

UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.

A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. This partition must not be formatted with a file system or mounted.

Boot process

BIOS boot process

BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk.

BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader.

MBR cannot handle disks larger than 2 TiB (232 × 512 bytes). Therefore, it is impossible to use any drive space beyond 2 TiB using MBR layout. So if you're booting from it and use BIOS, you MUST use MBR - and you simply can't use any space beyond that if your boot drive is 2TB or bigger.

Modern motherboards (since approximately 2011 onwards) are using UEFI natively, but most can emulate BIOS through the CSM (Compatibility Support Module) to maintain support for BIOS-style booting.

UEFI boot process

UEFI firmware can read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it.

UEFI uses a partitioning system called GPT instead of MBR, and needs a partition called "EFI System Partition" (ESP) - a FAT32 partition where the boot loader apps get installed to.

Each OS will stick its boot loader somewhere in the ESP and each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot.

Secure boot

Main article: UEFI Secure Boot

When the device is powered ON, secure boot checks the digital signatures of the bootloader and operating system. If the signatures are valid and match the trusted keys stored in the system, the boot process continues. If not, secure boot halts the process to protect against tampering. You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmware like your GPU BIOS) are signed with a trusted key. It works using cryptographic checksums and signatures. It stops your system from booting unsigned code. You can sign your own, and trust the certificate you used to do that signing.

Almost all new computer systems i.e every motherboard has a small list of pre-trusted certificates which almost (always) includes Microsoft's certificates, which they currently let anyone use for a small fee. This is due to Microsoft's actions as a Certification Authority (CA) for Secure Boot. They sign programs/bootloaders on behalf of other trusted organizations so that their programs will run, but at a cost.

Alpine Linux does not have a certificate which some other Linux distributions (mostly enterprise-related) have. This means that on new computer systems, users have to first disable Secure Boot to be able to install Alpine Linux.

Tip: Disable Secure Boot in UEFI firmware to be able to install Alpine Linux. Refer Secure boot page for enabling it after Alpine Linux is installed.

Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates from motherboard manufacturers which can run before operating system startup (like fwupdate/fwupd), and other utilities may live here too.

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=UEFI&oldid=28618"