Create UEFI secureboot USB: Difference between revisions

From Alpine Linux
No edit summary
Line 47: Line 47:
  wget -qO- http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz | tar xvz --strip-components{{=}}1 --no-same-owner}}
  wget -qO- http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz | tar xvz --strip-components{{=}}1 --no-same-owner}}


== Install Shim ==
== Install Shim and Certificate ==
{{Cmd | cp $HOME/$USER_local.cer /mnt/EFI/Boot
cd /mnt/EFI/Boot
mv BOOTX64.EFI grubx64.efi
mv shim.efi bootx64.efi }}
 
== Sign the Bootloader and kernel with your key ==
{{Cmd | sbsign --key $HOME/$USER_local.key --cert $HOME/$USER_local.crt grubx64.efi
mv grubx64.efi.signed grubx64.efi
cd /mnt/boot
sbsign --key $HOME/$USER_local.key --cert $HOME/$USER_local.crt vmlinuz-vanilla
mv vmlinuz-vanilla.signed vmlinuz-vanilla}}


== Unmount the partition ==
== Unmount the partition ==

Revision as of 14:48, 30 December 2018

This article explains how to create an UEFI boot USB with parted and gummiboot.

In this example we will use /dev/sdX. This will be different depending on your system.

Create GPT boot partition

Install parted

apk add parted

Create a single UEFI boot partitions.

Warning: This will erase all content of your /dev/sdX. Make sure that you use correct device.


parted --script /dev/sdX mklabel gpt parted --script --align=optimal /dev/sdX mkpart ESP fat32 1MiB 100% parted --script /dev/sdX set 1 boot on

Create fat32 filesystem

Create a fat32 system with the name `Alpine`.

mkfs.vfat -n ALPINE /dev/sdX1

Copy content of ISO image to filesystem

It is possible to mount the iso image and copy files with cp or rsync and it is also possible to use 7z to extract content from the iso. In this example I will use the uniso utility from alpine-conf package.

mount -t vfat /dev/sdX1 /mnt cd /mnt uniso < /path/to/alpine-3.8.2-x86_64.iso

Create MOK Key

cd $HOME openssl req -new -x509 -newkey rsa:2048 -keyout "$USER"_local.key -out "$USER"_local.crt -nodes -days 3650 -subj "/CN=$USER/" openssl x509 -in "$USER"_local.crt -out "$USER"_local.cer -outform DER

Remove Grub and Install gummiboot

Install gummiboot

apk add gummiboot rm -rf /mnt/efi /mnt/boot/grub gummiboot install --path=/mnt --no-variables

Copy signed shim

Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz Extract it and copy MokManager.efi and shim.efi to /mnt/efi/boot

cd /mnt/EFI/Boot wget -qO- http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz | tar xvz --strip-components=1 --no-same-owner

Install Shim and Certificate

cp $HOME/$USER_local.cer /mnt/EFI/Boot cd /mnt/EFI/Boot mv BOOTX64.EFI grubx64.efi mv shim.efi bootx64.efi

Sign the Bootloader and kernel with your key

sbsign --key $HOME/$USER_local.key --cert $HOME/$USER_local.crt grubx64.efi mv grubx64.efi.signed grubx64.efi cd /mnt/boot sbsign --key $HOME/$USER_local.key --cert $HOME/$USER_local.crt vmlinuz-vanilla mv vmlinuz-vanilla.signed vmlinuz-vanilla

Unmount the partition

Finally umount the disk

cd ~ && umount /mnt