Create UEFI secureboot USB: Difference between revisions
No edit summary |
|||
Line 1: | Line 1: | ||
This article explains how to create an UEFI boot USB with parted and | This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time. | ||
In this example we will use {{Path|/dev/sdX}}. This will be different depending on your system. | In this example we will use {{Path|/dev/sdX}}. This will be different depending on your system. | ||
Line 30: | Line 30: | ||
== Create MOK Key == | == Create MOK Key == | ||
{{Cmd | | {{Cmd | openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN{{=}}Alpine Local CA/" | ||
openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER}} | |||
openssl x509 -in | |||
== | == Download and install rEFInd == | ||
Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip and assume it is stored in your users download directory. There may be a more recent version of rEFInd available when you download, just substitute the paths in the example below as necessary. | |||
{{Cmd | | |||
{{Cmd | unzip $HOME/Downloads/refind-bin-0.11.4.zip -d $HOME/Downloads | |||
cd /mnt/efi/boot | |||
cp -r $HOME/Downloads/refind-bin-0.11.4/refind/* .}} | |||
== Copy signed shim == | == Copy signed shim == | ||
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz | Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary. | ||
{{Cmd | cd /mnt/EFI/Boot | {{Cmd | tar zxf $HOME/Downloads/shim-signed-0.2.tgz -C $HOME/Downloads | ||
cd /mnt/EFI/Boot | |||
cp }$HOME/Downloads/shim-signed/* .} | |||
== Install Shim and Certificate == | == Install Shim and Certificate == | ||
{{Cmd | cp $HOME/ | {{Cmd | cp $HOME/alpine_local.cer /mnt/EFI/Boot | ||
cd /mnt/EFI/Boot | cd /mnt/EFI/Boot | ||
mv | mv refind_x64.efi grubx64.efi | ||
mv shim.efi bootx64.efi }} | mv shim.efi bootx64.efi }} | ||
== Sign the Bootloader and kernel with your key == | == Sign the Bootloader and kernel with your key == | ||
{{Cmd | sbsign --key $HOME/ | {{Cmd | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt grubx64.efi | ||
mv grubx64.efi.signed grubx64.efi | mv grubx64.efi.signed grubx64.efi | ||
cd /mnt/boot | cd /mnt/boot | ||
sbsign --key $HOME/ | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt vmlinuz-vanilla | ||
mv vmlinuz-vanilla.signed vmlinuz-vanilla}} | mv vmlinuz-vanilla.signed vmlinuz-vanilla}} | ||
== Unmount the partition == | == Unmount the partition == |
Revision as of 10:00, 31 December 2018
This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.
In this example we will use /dev/sdX. This will be different depending on your system.
Create GPT boot partition
Install parted
apk add parted
Create a single UEFI boot partitions.
parted --script /dev/sdX mklabel gpt parted --script --align=optimal /dev/sdX mkpart ESP fat32 1MiB 100% parted --script /dev/sdX set 1 boot on
Create fat32 filesystem
Create a fat32 system with the name `Alpine`.
mkfs.vfat -n ALPINE /dev/sdX1
Copy content of ISO image to filesystem
It is possible to mount the iso image and copy files with cp or rsync and it is also possible to use 7z to extract content from the iso. In this example I will use the uniso utility from alpine-conf package.
mount -t vfat /dev/sdX1 /mnt cd /mnt uniso < /path/to/alpine-3.8.2-x86_64.iso
Create MOK Key
openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN=Alpine Local CA/" openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER
Download and install rEFInd
Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip and assume it is stored in your users download directory. There may be a more recent version of rEFInd available when you download, just substitute the paths in the example below as necessary.
unzip $HOME/Downloads/refind-bin-0.11.4.zip -d $HOME/Downloads cd /mnt/efi/boot cp -r $HOME/Downloads/refind-bin-0.11.4/refind/* .
Copy signed shim
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary.
{{Cmd | tar zxf $HOME/Downloads/shim-signed-0.2.tgz -C $HOME/Downloads
cd /mnt/EFI/Boot cp }$HOME/Downloads/shim-signed/* .}
Install Shim and Certificate
cp $HOME/alpine_local.cer /mnt/EFI/Boot cd /mnt/EFI/Boot mv refind_x64.efi grubx64.efi mv shim.efi bootx64.efi
Sign the Bootloader and kernel with your key
sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt grubx64.efi mv grubx64.efi.signed grubx64.efi cd /mnt/boot sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt vmlinuz-vanilla mv vmlinuz-vanilla.signed vmlinuz-vanilla
Unmount the partition
Finally umount the disk
cd ~ && umount /mnt