UEFI Secure Boot: Difference between revisions

From Alpine Linux
(Remove WIP)
(Add "See also" section)
 
(12 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Refer [[Alpine_and_UEFI|UEFI]] page for info other than Secure boot.
== Mounting ESP ==
== Mounting ESP ==


Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:
Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:
{{cmd|install -d -m 000 /boot/efi}}
 
{{cmd|# install -d -m 000 /boot/efi}}


Add the following line to {{path|/etc/fstab}}:
Add the following line to {{path|/etc/fstab}}:
  UUID=<first-partition-uuid>  /boot/efi  vfat  rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
 
{{Cat|/etc/fstab|...
UUID{{=}}<first-partition-uuid>  /boot/efi  vfat  rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}


Mount it:
Mount it:
{{cmd|mount /boot/efi}}
 
{{cmd|# mount /boot/efi}}


== Generating own UEFI keys ==
== Generating own UEFI keys ==


Install package {{pkg|efi-mkkeys}}:
Install package {{pkg|efi-mkkeys}}:
{{cmd|apk add efi-mkkeys}}
 
{{cmd|# apk add efi-mkkeys}}


Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
{{cmd|mkdir -p /etc/uefi-keys/vendor
 
cd /etc/uefi-keys/vendor
{{cmd|# mkdir -p /etc/uefi-keys/vendor
for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}
&#35; cd /etc/uefi-keys/vendor
&#35; for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}


Generate your self-signed PK, KEK and db key, including .esl and .auth files:
Generate your self-signed PK, KEK and db key, including .esl and .auth files:
{{cmd|efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}
 
{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}


Now you can uninstall {{pkg|efi-mkkeys}} if you want:
Now you can uninstall {{pkg|efi-mkkeys}} if you want:
{{cmd|apk del efi-mkkeys}}
 
{{cmd|# apk del efi-mkkeys}}


== Generating Unified Kernel Image ==
== Generating Unified Kernel Image ==


Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:
Install package {{pkg|secureboot-hook}}, {{pkg|gummiboot-efistub}}, and {{pkg|efibootmgr}}:
{{cmd|apk add secureboot-hook efibootmgr}}
 
{{cmd|# apk add secureboot-hook gummiboot-efistub efibootmgr}}


Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:
Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:
  cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"
 
<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>


Run kernel hooks:
Run kernel hooks:
{{cmd|apk fix kernel-hooks}}
 
{{cmd|# apk fix kernel-hooks}}


Disable {{pkg|mkinitfs}} trigger:
Disable {{pkg|mkinitfs}} trigger:
{{cmd|echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}
 
{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}


Add boot entry:
Add boot entry:
{{cmd|efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}
 
{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}
 
Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.


== Enrolling UEFI keys ==
== Enrolling UEFI keys ==
Line 62: Line 78:
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# '''Platform Key (PK)''' > '''Enroll PK''' > select your Flash Drive > select '''PK.auth''' (this MUST be the last!)
# Go to top, '''Restart''' > '''Exit Saving Changes'''
# Go to top, '''Restart''' > '''Exit Saving Changes'''
Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
# Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Disabled'''
# Select '''Clear All Secure Boot Keys'''
# Press F10 to save settings
# Reboot system and enter Alpine Linux
# Enable the [[Repositories|Community Repository]]
# Run the following commands:
{{cmd|# apk update
&#35; apk add sbctl
&#35; sbctl create-keys
&#35; sbctl sign /boot/efi/Alpine/linux-lts.efi
&#35; sbctl enroll-keys -m  }}
# <li value="9"> Reboot system and enter HP Bios Setup Utility (F10).
# Go to '''System Configuration'''
# Change '''Secure Boot''' to '''Enabled'''
# Press F10 to save settings
Note: If you needed to use sbctl, you will have to run <code>sbctl sign /boot/efi/Alpine/linux-lts.efi</code> every time you upgrade the kernel. You should '''not''' need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.
== See also ==
* [[Initramfs init]]
* <code>mkinitfs-bootparam(7)</code>


== Resources ==
== Resources ==


* https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
* https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)
 
[[Category:Booting]] [[Category:UEFI]]

Latest revision as of 05:49, 12 November 2024

Refer UEFI page for info other than Secure boot.

Mounting ESP

Prepare mount point for UEFI partition (ESP) at /boot/efi:

# install -d -m 000 /boot/efi

Add the following line to /etc/fstab:

Contents of /etc/fstab

... UUID=<first-partition-uuid> /boot/efi vfat rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2

Mount it:

# mount /boot/efi

Generating own UEFI keys

Install package efi-mkkeys:

# apk add efi-mkkeys

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

# efi-mkkeys -s "Your Name" -o /etc/uefi-keys

Now you can uninstall efi-mkkeys if you want:

# apk del efi-mkkeys

Generating Unified Kernel Image

Install package secureboot-hook, gummiboot-efistub, and efibootmgr:

# apk add secureboot-hook gummiboot-efistub efibootmgr

Adjust parameter cmdline in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd= parameter! Example of a valid cmdline:

cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"

Run kernel hooks:

# apk fix kernel-hooks

Disable mkinitfs trigger:

# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf

Add boot entry:

# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

Enrolling UEFI keys

Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

  1. Reboot system and enter ThinkPad Setup (F1).
  2. Go to Security > Secure Boot
  3. Change Secure Boot to Enabled
  4. Reset to Setup Mode
  5. Go to Key Management
  6. Authorized Signature Database (DB)
    • Enroll DB > select your Flash Drive > select db.auth
    • Delete DB > delete Microsoft certificates (optional)
  7. Key Exchange Key (KEK)
    • Enroll KEK > select your Flash Drive > select KEK.auth
    • Delete KEK > delete Microsoft certificates (optional)
  8. Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
  9. Go to top, Restart > Exit Saving Changes

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):

  1. Reboot system and enter HP Bios Setup Utility (F10).
  2. Go to System Configuration
  3. Change Secure Boot to Disabled
  4. Select Clear All Secure Boot Keys
  5. Press F10 to save settings
  6. Reboot system and enter Alpine Linux
  7. Enable the Community Repository
  8. Run the following commands:

# apk update # apk add sbctl # sbctl create-keys # sbctl sign /boot/efi/Alpine/linux-lts.efi # sbctl enroll-keys -m

  1. Reboot system and enter HP Bios Setup Utility (F10).
  2. Go to System Configuration
  3. Change Secure Boot to Enabled
  4. Press F10 to save settings

Note: If you needed to use sbctl, you will have to run sbctl sign /boot/efi/Alpine/linux-lts.efi every time you upgrade the kernel. You should not need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.

See also

Resources