Create UEFI secureboot USB: Difference between revisions

From Alpine Linux
No edit summary
No edit summary
Line 30: Line 30:


== Create MOK Key ==
== Create MOK Key ==
{{Cmd | openssl req -new -x509 -newkey rsa:2048 -keyout "$USER"_local.key -out "$USER"_local.crt -nodes -days 3650 -subj "/CN{{=}}$USER/"
{{Cmd | cd $HOME
openssl req -new -x509 -newkey rsa:2048 -keyout "$USER"_local.key -out "$USER"_local.crt -nodes -days 3650 -subj "/CN{{=}}$USER/"
  openssl x509 -in "$USER"_local.crt -out "$USER"_local.cer -outform DER}}
  openssl x509 -in "$USER"_local.crt -out "$USER"_local.cer -outform DER}}


Line 36: Line 37:
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz
Extract it and copy MokManager.efi and shim.efi to /mnt/efi/boot
Extract it and copy MokManager.efi and shim.efi to /mnt/efi/boot
{{Cmd | cd /mnt
wget -qO- http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz | tar xvz --strip-components{{=}}1 }}


== Install gummiboot ==
== Install gummiboot ==

Revision as of 14:20, 30 December 2018

This article explains how to create an UEFI boot USB with parted and gummiboot.

In this example we will use /dev/sdX. This will be different depending on your system.

Create GPT boot partition

Install parted

apk add parted

Create a single UEFI boot partitions.

Warning: This will erase all content of your /dev/sdX. Make sure that you use correct device.


parted --script /dev/sdX mklabel gpt parted --script --align=optimal /dev/sdX mkpart ESP fat32 1MiB 100% parted --script /dev/sdX set 1 boot on

Create fat32 filesystem

Create a fat32 system with the name `Alpine`.

mkfs.vfat -n ALPINE /dev/sdX1

Copy content of ISO image to filesystem

It is possible to mount the iso image and copy files with cp or rsync and it is also possible to use 7z to extract content from the iso. In this example I will use the uniso utility from alpine-conf package.

mount -t vfat /dev/sdX1 /mnt cd /mnt uniso < /path/to/alpine-3.8.2-x86_64.iso

Create MOK Key

cd $HOME openssl req -new -x509 -newkey rsa:2048 -keyout "$USER"_local.key -out "$USER"_local.crt -nodes -days 3650 -subj "/CN=$USER/" openssl x509 -in "$USER"_local.crt -out "$USER"_local.cer -outform DER

Copy signed shim

Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz Extract it and copy MokManager.efi and shim.efi to /mnt/efi/boot

cd /mnt wget -qO- http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz

Install gummiboot

Unmount the partition

Finally umount the disk

cd ~ && umount /mnt

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Create_UEFI_secureboot_USB&oldid=15630"