Create UEFI secureboot USB: Difference between revisions

From Alpine Linux
No edit summary
Line 1: Line 1:
This article explains how to create an UEFI boot USB with parted and gummiboot.
This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.


In this example we will use {{Path|/dev/sdX}}. This will be different depending on your system.
In this example we will use {{Path|/dev/sdX}}. This will be different depending on your system.
Line 30: Line 30:


== Create MOK Key ==
== Create MOK Key ==
{{Cmd | cd $HOME
{{Cmd | openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN{{=}}Alpine Local CA/"
openssl req -new -x509 -newkey rsa:2048 -keyout "$USER"_local.key -out "$USER"_local.crt -nodes -days 3650 -subj "/CN{{=}}$USER/"
  openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER}}
  openssl x509 -in "$USER"_local.crt -out "$USER"_local.cer -outform DER}}


== Remove Grub and Install gummiboot ==
== Download and install rEFInd ==
Install {{Pkg|gummiboot}}
Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current  version of rEFInd, refind-bin-0.11.4.zip and assume it is stored in your users download directory. There may be a more recent version of rEFInd available when you download, just substitute the paths in the example below as necessary.
{{Cmd | apk add gummiboot
 
  rm -rf /mnt/efi /mnt/boot/grub
{{Cmd | unzip $HOME/Downloads/refind-bin-0.11.4.zip -d $HOME/Downloads
  gummiboot install --path{{=}}/mnt --no-variables}}
  cd /mnt/efi/boot
  cp -r $HOME/Downloads/refind-bin-0.11.4/refind/* .}}


== Copy signed shim ==
== Copy signed shim ==
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we  assume it is stored in your users download directory. Substitute the paths in the example below as necessary.
Extract it and copy MokManager.efi and shim.efi to /mnt/efi/boot


{{Cmd | cd /mnt/EFI/Boot
{{Cmd | tar zxf $HOME/Downloads/shim-signed-0.2.tgz -C $HOME/Downloads
  wget -qO- http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz | tar xvz --strip-components{{=}}1 --no-same-owner}}
cd /mnt/EFI/Boot
  cp }$HOME/Downloads/shim-signed/* .}


== Install Shim and Certificate ==
== Install Shim and Certificate ==
{{Cmd | cp $HOME/$USER_local.cer /mnt/EFI/Boot
{{Cmd | cp $HOME/alpine_local.cer /mnt/EFI/Boot
  cd /mnt/EFI/Boot
  cd /mnt/EFI/Boot
  mv BOOTX64.EFI grubx64.efi
  mv refind_x64.efi grubx64.efi
  mv shim.efi bootx64.efi }}
  mv shim.efi bootx64.efi }}


== Sign the Bootloader and kernel with your key ==
== Sign the Bootloader and kernel with your key ==
{{Cmd | sbsign --key $HOME/$USER_local.key --cert $HOME/$USER_local.crt grubx64.efi
{{Cmd | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt grubx64.efi
  mv grubx64.efi.signed grubx64.efi
  mv grubx64.efi.signed grubx64.efi
  cd /mnt/boot
  cd /mnt/boot
  sbsign --key $HOME/$USER_local.key --cert $HOME/$USER_local.crt vmlinuz-vanilla
  sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt vmlinuz-vanilla
  mv vmlinuz-vanilla.signed vmlinuz-vanilla}}
  mv vmlinuz-vanilla.signed vmlinuz-vanilla}}
== Edit configuration files for boot loader ==
We need to edit the loader.conf for gummiboot.
{{Cat | /mnt/loader/loader.conf |default alpine
timeout 4
}}
We need to create alpine.conf in entries
{{Cat | /mnt/loader/entries/alpine.conf |title    Alpine Linux
linux    /boot/vmlinuz-vanilla
initrd  /boot/initramfs-vanilla
options  modloop{{=}}/boot/modloop-vanilla modules{{=}}loop,squashfs,sd-mod,usb-storage
}}
We need to create mokmanager.conf in entries
{{Cat | /mnt/loader/entries/mokmanager.conf |title MokManager
efi /EFI/Boot/MokManager.efi
}}


== Unmount the partition ==
== Unmount the partition ==

Revision as of 10:00, 31 December 2018

This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.

In this example we will use /dev/sdX. This will be different depending on your system.

Create GPT boot partition

Install parted

apk add parted

Create a single UEFI boot partitions.

Warning: This will erase all content of your /dev/sdX. Make sure that you use correct device.


parted --script /dev/sdX mklabel gpt parted --script --align=optimal /dev/sdX mkpart ESP fat32 1MiB 100% parted --script /dev/sdX set 1 boot on

Create fat32 filesystem

Create a fat32 system with the name `Alpine`.

mkfs.vfat -n ALPINE /dev/sdX1

Copy content of ISO image to filesystem

It is possible to mount the iso image and copy files with cp or rsync and it is also possible to use 7z to extract content from the iso. In this example I will use the uniso utility from alpine-conf package.

mount -t vfat /dev/sdX1 /mnt cd /mnt uniso < /path/to/alpine-3.8.2-x86_64.iso

Create MOK Key

openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN=Alpine Local CA/" openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER

Download and install rEFInd

Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip and assume it is stored in your users download directory. There may be a more recent version of rEFInd available when you download, just substitute the paths in the example below as necessary.

unzip $HOME/Downloads/refind-bin-0.11.4.zip -d $HOME/Downloads cd /mnt/efi/boot cp -r $HOME/Downloads/refind-bin-0.11.4/refind/* .

Copy signed shim

Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary.

{{Cmd | tar zxf $HOME/Downloads/shim-signed-0.2.tgz -C $HOME/Downloads

cd /mnt/EFI/Boot
cp }$HOME/Downloads/shim-signed/* .}

Install Shim and Certificate

cp $HOME/alpine_local.cer /mnt/EFI/Boot cd /mnt/EFI/Boot mv refind_x64.efi grubx64.efi mv shim.efi bootx64.efi

Sign the Bootloader and kernel with your key

sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt grubx64.efi mv grubx64.efi.signed grubx64.efi cd /mnt/boot sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt vmlinuz-vanilla mv vmlinuz-vanilla.signed vmlinuz-vanilla

Unmount the partition

Finally umount the disk

cd ~ && umount /mnt