UEFI Secure Boot: Difference between revisions
m (→Enrolling UEFI keys: Make command in newly created note note one line) |
WhyNotHugo (talk | contribs) (Add "See also" section) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Refer [[Alpine_and_UEFI|UEFI]] page for info other than Secure boot. | |||
== Mounting ESP == | == Mounting ESP == | ||
Line 36: | Line 37: | ||
== Generating Unified Kernel Image == | == Generating Unified Kernel Image == | ||
Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}: | Install package {{pkg|secureboot-hook}}, {{pkg|gummiboot-efistub}}, and {{pkg|efibootmgr}}: | ||
{{cmd|# apk add secureboot-hook efibootmgr}} | {{cmd|# apk add secureboot-hook gummiboot-efistub efibootmgr}} | ||
Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>: | Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>: | ||
Line 98: | Line 99: | ||
Note: If you needed to use sbctl, you will have to run <code>sbctl sign /boot/efi/Alpine/linux-lts.efi</code> every time you upgrade the kernel. You should '''not''' need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot. | Note: If you needed to use sbctl, you will have to run <code>sbctl sign /boot/efi/Alpine/linux-lts.efi</code> every time you upgrade the kernel. You should '''not''' need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot. | ||
== See also == | |||
* [[Initramfs init]] | |||
* <code>mkinitfs-bootparam(7)</code> | |||
== Resources == | == Resources == | ||
Line 105: | Line 111: | ||
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package) | * [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package) | ||
[[Category:Booting]] | [[Category:Booting]] [[Category:UEFI]] |
Latest revision as of 05:49, 12 November 2024
Refer UEFI page for info other than Secure boot.
Mounting ESP
Prepare mount point for UEFI partition (ESP) at /boot/efi:
# install -d -m 000 /boot/efi
Add the following line to /etc/fstab:
Contents of /etc/fstab
Mount it:
# mount /boot/efi
Generating own UEFI keys
Install package efi-mkkeys:
# apk add efi-mkkeys
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done
Generate your self-signed PK, KEK and db key, including .esl and .auth files:
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
Now you can uninstall efi-mkkeys if you want:
# apk del efi-mkkeys
Generating Unified Kernel Image
Install package secureboot-hook, gummiboot-efistub, and efibootmgr:
# apk add secureboot-hook gummiboot-efistub efibootmgr
Adjust parameter cmdline
in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd=
parameter! Example of a valid cmdline
:
cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"
Run kernel hooks:
# apk fix kernel-hooks
Disable mkinitfs trigger:
# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
Add boot entry:
# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose
Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.
Enrolling UEFI keys
Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).
Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.
- Reboot system and enter ThinkPad Setup (F1).
- Go to Security > Secure Boot
- Change Secure Boot to Enabled
- Reset to Setup Mode
- Go to Key Management
- Authorized Signature Database (DB)
- Enroll DB > select your Flash Drive > select db.auth
- Delete DB > delete Microsoft certificates (optional)
- Key Exchange Key (KEK)
- Enroll KEK > select your Flash Drive > select KEK.auth
- Delete KEK > delete Microsoft certificates (optional)
- Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
- Go to top, Restart > Exit Saving Changes
Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
- Reboot system and enter HP Bios Setup Utility (F10).
- Go to System Configuration
- Change Secure Boot to Disabled
- Select Clear All Secure Boot Keys
- Press F10 to save settings
- Reboot system and enter Alpine Linux
- Enable the Community Repository
- Run the following commands:
# apk update # apk add sbctl # sbctl create-keys # sbctl sign /boot/efi/Alpine/linux-lts.efi # sbctl enroll-keys -m
- Reboot system and enter HP Bios Setup Utility (F10).
- Go to System Configuration
- Change Secure Boot to Enabled
- Press F10 to save settings
Note: If you needed to use sbctl, you will have to run sbctl sign /boot/efi/Alpine/linux-lts.efi
every time you upgrade the kernel. You should not need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.
See also
- Initramfs init
mkinitfs-bootparam(7)