UEFI Secure Boot: Difference between revisions

From Alpine Linux
(Add gummiboot-efistub to packages needed to install)
(Add category UEFI)
Line 105: Line 105:
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)


[[Category:Booting]]
[[Category:Booting]] [[Category:UEFI]]

Revision as of 10:09, 7 November 2023

Mounting ESP

Prepare mount point for UEFI partition (ESP) at /boot/efi:

# install -d -m 000 /boot/efi

Add the following line to /etc/fstab:

Contents of /etc/fstab

... UUID=<first-partition-uuid> /boot/efi vfat rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2

Mount it:

# mount /boot/efi

Generating own UEFI keys

Install package efi-mkkeys:

# apk add efi-mkkeys

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

# efi-mkkeys -s "Your Name" -o /etc/uefi-keys

Now you can uninstall efi-mkkeys if you want:

# apk del efi-mkkeys

Generating Unified Kernel Image

Install package secureboot-hook, gummiboot-efistub, and efibootmgr:

# apk add secureboot-hook gummiboot-efistub efibootmgr

Adjust parameter cmdline in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd= parameter! Example of a valid cmdline:

cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"

Run kernel hooks:

# apk fix kernel-hooks

Disable mkinitfs trigger:

# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf

Add boot entry:

# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

Enrolling UEFI keys

Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

  1. Reboot system and enter ThinkPad Setup (F1).
  2. Go to Security > Secure Boot
  3. Change Secure Boot to Enabled
  4. Reset to Setup Mode
  5. Go to Key Management
  6. Authorized Signature Database (DB)
    • Enroll DB > select your Flash Drive > select db.auth
    • Delete DB > delete Microsoft certificates (optional)
  7. Key Exchange Key (KEK)
    • Enroll KEK > select your Flash Drive > select KEK.auth
    • Delete KEK > delete Microsoft certificates (optional)
  8. Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
  9. Go to top, Restart > Exit Saving Changes

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):

  1. Reboot system and enter HP Bios Setup Utility (F10).
  2. Go to System Configuration
  3. Change Secure Boot to Disabled
  4. Select Clear All Secure Boot Keys
  5. Press F10 to save settings
  6. Reboot system and enter Alpine Linux
  7. Enable the Community Repository
  8. Run the following commands:

# apk update # apk add sbctl # sbctl create-keys # sbctl sign /boot/efi/Alpine/linux-lts.efi # sbctl enroll-keys -m

  1. Reboot system and enter HP Bios Setup Utility (F10).
  2. Go to System Configuration
  3. Change Secure Boot to Enabled
  4. Press F10 to save settings

Note: If you needed to use sbctl, you will have to run sbctl sign /boot/efi/Alpine/linux-lts.efi every time you upgrade the kernel. You should not need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.

Resources