UEFI Secure Boot: Difference between revisions
(Add gummiboot-efistub to packages needed to install) |
WhyNotHugo (talk | contribs) (Add category UEFI) |
||
Line 105: | Line 105: | ||
* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package) | * [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package) | ||
[[Category:Booting]] | [[Category:Booting]] [[Category:UEFI]] |
Revision as of 10:09, 7 November 2023
Mounting ESP
Prepare mount point for UEFI partition (ESP) at /boot/efi:
# install -d -m 000 /boot/efi
Add the following line to /etc/fstab:
Contents of /etc/fstab
Mount it:
# mount /boot/efi
Generating own UEFI keys
Install package efi-mkkeys:
# apk add efi-mkkeys
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done
Generate your self-signed PK, KEK and db key, including .esl and .auth files:
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
Now you can uninstall efi-mkkeys if you want:
# apk del efi-mkkeys
Generating Unified Kernel Image
Install package secureboot-hook, gummiboot-efistub, and efibootmgr:
# apk add secureboot-hook gummiboot-efistub efibootmgr
Adjust parameter cmdline
in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd=
parameter! Example of a valid cmdline
:
cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"
Run kernel hooks:
# apk fix kernel-hooks
Disable mkinitfs trigger:
# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
Add boot entry:
# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose
Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.
Enrolling UEFI keys
Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).
Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.
- Reboot system and enter ThinkPad Setup (F1).
- Go to Security > Secure Boot
- Change Secure Boot to Enabled
- Reset to Setup Mode
- Go to Key Management
- Authorized Signature Database (DB)
- Enroll DB > select your Flash Drive > select db.auth
- Delete DB > delete Microsoft certificates (optional)
- Key Exchange Key (KEK)
- Enroll KEK > select your Flash Drive > select KEK.auth
- Delete KEK > delete Microsoft certificates (optional)
- Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
- Go to top, Restart > Exit Saving Changes
Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
- Reboot system and enter HP Bios Setup Utility (F10).
- Go to System Configuration
- Change Secure Boot to Disabled
- Select Clear All Secure Boot Keys
- Press F10 to save settings
- Reboot system and enter Alpine Linux
- Enable the Community Repository
- Run the following commands:
# apk update # apk add sbctl # sbctl create-keys # sbctl sign /boot/efi/Alpine/linux-lts.efi # sbctl enroll-keys -m
- Reboot system and enter HP Bios Setup Utility (F10).
- Go to System Configuration
- Change Secure Boot to Enabled
- Press F10 to save settings
Note: If you needed to use sbctl, you will have to run sbctl sign /boot/efi/Alpine/linux-lts.efi
every time you upgrade the kernel. You should not need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.