UEFI: Difference between revisions

From Alpine Linux
m (Prabuanand moved page Alpine and UEFI to UEFI: the comment by Sertonix (talk) 20:13, 25 August 2023 (UTC) makes proper sense)
(Commented out most of the obsolete content and organised headings and content)
Line 1: Line 1:
{{TOC right}}
{{TOC right}}
{{Note|This article is written with a PC-centric (i686+x86_64) point of view. Help making this article more applicable to other UEFI Architectures, particularly ARM, would be greatly appreciated.}}
Unified Extensible Firmware Interface (UEFI) is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system.
{{Style|This is an article and should feel less like a story (for example warnings in the article instead of a conclusion at the end)}}


Refer [[UEFI_Secure_Boot|Secure boot]] page for enabling it after [[Installation]] of Alpine Linux.
{{Tip|''' Disable [[#Secure Boot|Secure Boot]] in UEFI''' to be able to [[Installation|install]]  Alpine Linux. Refer [[UEFI_Secure_Boot|Secure boot]] page for enabling it after Alpine Linux is installed.}}


= UEFI and BIOS definitions and introduction =
== Disk layout for UEFI ==
{{Todo|This article is written with a PC-centric (i686+x86_64) point of view. Help making this article more applicable to other UEFI Architectures, particularly ARM, would be greatly appreciated.}}
Alpine Linux requires a root partition, but on UEFI systems an EFI System Partition is also required. The EFI System Partition must contain a bootloader program in {{path|\EFI\$bootloader.efi}}.{{citation needed}}


For a brief introduction to UEFI and BIOS, see [https://wiki.archlinux.org/title/Unified%20Extensible%20Firmware%20Interface the ArchWiki page on the subject] and the [https://en.wikipedia.org/wiki/UEFI Wikipedia page for UEFI].
Regular UEFI boot has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. Unfortunately, some PC UEFI implementations have got this wrong and don't work properly. The most important of these can be viewed and edited with {{pkg|efibootmgr}}.
 
This article focuses on Alpine-specific information; enough material exists online as an introduction to UEFI.
 
= Alpine UEFI support =
 
Currently are only in basic form, not all the architectures are complete supported.
 
'''[https://alpinelinux.org/posts/Alpine-3.7.0-released.html Alpine 3.7.0]''' introduced support for
[https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition]. Preliminary support in that version does not create the
EFI Partition and only has support for existing or manually created ones.


'''[https://alpinelinux.org/posts/Alpine-3.8.0-released.html Alpine 3.8.0] introduced support in the installer for the GRUB boot loader''' so now Linux experimental users can play with combinations of solutions and proper
The correct way for this to work when booting off local disk is for a boot variable to point to a vendor-specific bootloader program in <code>\EFI\$bootloader.efi</code> on the EFI System Partition (ESP), a specially tagged partition.  
[https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI] complete installations.
 
'''EFI System Partition are not the complete overall of the UEFI, it's just the need minimal infrastructure to property boot by and [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Implementation_and_adoption UEFI modern machine]. See the [[Alpine and UEFI#UEFI mandatory partition mechanics|Alpine UEFI partition mechanics notes]] section in this page for details.'''
 
Please read carefully the [[Alpine and UEFI#UEFI and BIOS definitions and introduction|UEFI and BIOS section of this page]].
 
== Minimum Alpine partition scheme ==
 
Alpine Linux requires a root partition, but on UEFI systems an EFI System Partition is also required. The EFI System Partition must contain a bootloader program in {{path|\EFI\$bootloader.efi}}.{{citation needed}} The current status of that mechanics to boot '''in Alpine Linux are still in development and only basic support to existing mades are provided'''. See [[Alpine and UEFI#UEFI mandatory partition mechanics|UEFI mandatory partition mechanics]] for details.
 
== Notes about the boot flags and boot partition ==
 
UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.
 
A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. The partition has nothing to do and it must not be formatted with a file system or mounted.
 
== Alpine disk layout for UEFI ==
 
You will need a disk layout that your system firmware is capable of booting, you '''will need a boot partition and a root partition'''. Other architectures may have different requirements and not all are supported, please read [[Alpine and UEFI#UEFI mandatory partition mechanics|UEFI mandatory partition mechanics]] for details.


If you don't already know what filesystem format you want your boot partition, choose '''vfat''' (i.e. FAT16 or FAT32). The '''root partition, and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading'''.
If you don't already know what filesystem format you want your boot partition, choose '''vfat''' (i.e. FAT16 or FAT32). The '''root partition, and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading'''.
Line 62: Line 34:


==== BIOS/MBR minimal layout ====
==== BIOS/MBR minimal layout ====
UEFI replaced the BIOS that was present in the boot ROM of all personal computers that are IBM PC compatible. UEFI provide backwards compatibility with the BIOS using CSM booting.


{| class="wikitable"
{| class="wikitable"
Line 100: Line 73:
|}
|}


= BIOS boot process for newbies =
=== Boot flags and boot partition ===
 
UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.
 
A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. This partition must not be formatted with a file system or mounted.
{{Style}}
== Boot process ==
=== BIOS boot process ===


BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk.
BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk.
Line 112: Line 92:
Modern motherboards (since approximately 2011 onwards) are using UEFI natively, but most can emulate BIOS through the CSM (Compatibility Support Module) to maintain support for BIOS-style booting.
Modern motherboards (since approximately 2011 onwards) are using UEFI natively, but most can emulate BIOS through the CSM (Compatibility Support Module) to maintain support for BIOS-style booting.


= UEFI boot process explained =
=== UEFI boot process ===


Well, let's start with installers. It'll read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it. An app, written in the UEFI "OS". It can be anything! Here's classic text adventure Zork, as a UEFI app.
Well, let's start with installers. It'll read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it. An app, written in the UEFI "OS". It can be anything! Here's classic text adventure Zork, as a UEFI app.
Line 122: Line 102:
Each OS will stick its boot loader somewhere in the ESP, then send a signal to the firmware to write this new loader's location into the CMOS. Each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot. This is why you don't do the old "unplug drive A when installing a different OS to drive B" thing, or swap cables, or anything like that. You should only have one ESP, the one on drive A.  
Each OS will stick its boot loader somewhere in the ESP, then send a signal to the firmware to write this new loader's location into the CMOS. Each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot. This is why you don't do the old "unplug drive A when installing a different OS to drive B" thing, or swap cables, or anything like that. You should only have one ESP, the one on drive A.  


== UEFI mandatory partition mechanics ==
== Secure Boot ==
{{Main|UEFI Secure Boot}}
 
It's a way for your motherboard to prevent tampering of your OS (e.g. boot-sector viruses, or backdoors installed without your knowledge). You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmware like your GPU BIOS) are signed with a trusted key.
 
It works using cryptographic checksums and signatures. It stops your system from booting unsigned code. You can sign your own, and trust the certificate you used to do that signing. Or you can get the boot code signed by Microsoft - every motherboard has a small list of pre-trusted certificates which almost (always) includes Microsoft's certificates, which they currently let anyone use for a small fee.


Regular UEFI boot has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. Unfortunately, some PC UEFI implementations have got this wrong and don't work properly. The most important of these can be viewed and edited with {{pkg|efibootmgr}}.
Alpine Linux does not have a certificate which some other Linux distributions (mostly enterprise-related) have. This means that on many new computer systems, users have to first ''' disable Secure Boot to be able to install Alpine Linux''' and the methods for doing this vary massively from one system to another, making this potentially quite difficult for users.
 
This is due to Microsoft's actions as a Certification Authority (CA) for Secure Boot. They sign programs/bootloaders on behalf of other trusted organizations so that their programs will run, but at great cost.. and there's nothing related to free software but affects to.. There's no Alpine Linux Certification like are with other enterprise related Linux.


The correct way for this to work when booting off local disk is for a boot variable to point to a vendor-specific bootloader program in <code>\EFI\$bootloader.efi</code> on the EFI System Partition (ESP), a specially tagged partition. The current status of that mechanics to boot in Alpine Linux are still in development and only basic support to existing made are provided.
Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates before operating system startup (like fwupdate and fwupd), and other utilities may live here too.
<!--
You will need a disk layout that your system firmware is capable of booting, you '''will need a boot partition and a root partition'''.  
== Alpine UEFI support ==


== What's this infamous "Secure Boot"? ==
Currently are only in basic form, not all the architectures are complete supported.


It's a way for your motherboard to prevent tampering of your OS (e.g. boot-sector viruses, or backdoors installed without your knowledge). You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmware like your GPU BIOS) are signed with a trusted key.
'''[https://alpinelinux.org/posts/Alpine-3.7.0-released.html Alpine 3.7.0]''' introduced support for  
[https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition]. Preliminary support in that version does not create the  
EFI Partition and only has support for existing or manually created ones.


It works using cryptographic checksums and signatures. It '''stops your system from booting unsigned code'''. You can sign your own, and trust the certificate you used to do that signing. Or you can get the boot code signed by Microsoft - every motherboard has a small list of pre-trusted certificates which almost (always) includes Microsoft's certificates, which they currently let anyone use for a small fee.
'''[https://alpinelinux.org/posts/Alpine-3.8.0-released.html Alpine 3.8.0] introduced support in the installer for the GRUB boot loader''' so now Linux experimental users can play with combinations of solutions and proper
[https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI] complete installations.


Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates before operating system startup (like fwupdate and fwupd), and other utilities may live here too.
'''EFI System Partition are not the complete overall of the UEFI, it's just the need minimal infrastructure to property boot by and [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Implementation_and_adoption UEFI modern machine]. See the [[Alpine and UEFI#UEFI mandatory partition mechanics|Alpine UEFI partition mechanics notes]] section in this page for details.'''


Due the "Unsigned code curse", Alpine linux [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#EFI_system_partition EFI System Partition] '''are not the complete overall of the [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI], it's just the need minimal infrastructure to property boot''' it!
Other architectures may have different requirements and not all are supported, please read [[Alpine and UEFI#UEFI mandatory partition mechanics|UEFI mandatory partition mechanics]] for details.


== How to boot unsigned code? ==
The current status of that mechanics to boot '''in Alpine Linux are still in development and only basic support to existing mades are provided'''. See [[Alpine and UEFI#UEFI mandatory partition mechanics|UEFI mandatory partition mechanics]] for details.


'''You must disable Secure Boot. Alpine has no support for Secure Boot as it does not have a certificate''' which some other Linux distributions (mostly enterprise-related) have. This means that on many new computer systems, users have to first disable Secure Boot to be able to install Alpine Linux and the methods for doing this vary massively from one system to another, making this potentially quite difficult for users.  
The current status of that mechanics to boot in Alpine Linux are still in development and only basic support to existing made are provided.


This is due to Microsoft's actions as a Certification Authority (CA) for Secure Boot. They sign programs/bootloaders on behalf of other trusted organizations so that their programs will run, but at great cost.. and there's nothing related to free software but affects to.. There's no Alpine Linux Certification like are with other enterprise related Linux.
Due the "Unsigned code curse", Alpine linux [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#EFI_system_partition EFI System Partition] '''are not the complete overall of the [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI], it's just the need minimal infrastructure to property boot''' it!


Take in consideration that for Alpine linux [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#EFI_system_partition EFI System Partition] are not the complete overall of the [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI], it's '''just the need minimal infrastructure to property boot''' by an [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Implementation_and_adoption UEFI modern machine]. See the [[Alpine and UEFI#UEFI mandatory partition mechanics|Alpine UEFI partition mechanics notes]] section in this page for details.
Take in consideration that for Alpine linux [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#EFI_system_partition EFI System Partition] are not the complete overall of the [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface UEFI], it's '''just the need minimal infrastructure to property boot''' by an [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Implementation_and_adoption UEFI modern machine]. See the [[Alpine and UEFI#UEFI mandatory partition mechanics|Alpine UEFI partition mechanics notes]] section in this page for details.


= Overall notes and conclusions =
== Overall notes and conclusions ==


Currently Alpine UEFI and Secure Boot are very early stage.. Initial support was added and enabled for UEFI, but Secure Boot must be disabled.
Currently Alpine UEFI and Secure Boot are very early stage.. Initial support was added and enabled for UEFI, but Secure Boot must be disabled.
Line 153: Line 146:


UEFI-only computers are very common nowadays and are more challenging machines in which to install Alpine linux. They will need the the new EFI partition to boot containing special files.
UEFI-only computers are very common nowadays and are more challenging machines in which to install Alpine linux. They will need the the new EFI partition to boot containing special files.
-->
== See Also ==


= See Also =
* [[Create a Bootable Compact Flash]]
* [[Create a bootable SDHC from a Mac]]
* [[Create a bootable SDHC from a Mac]]
* [[Create a Bootable USB]]
* [[Create a Bootable USB]]
* [[Create UEFI boot USB]]
* [[Create UEFI secureboot USB]]
* [[Create UEFI secureboot USB]]
* [[Bootloaders]]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface UEFI - Archwiki]
* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface UEFI - Archwiki]


[[Category:Installation]]
[[Category:Installation]][[Category:UEFI]]
[[Category:UEFI]]

Revision as of 04:50, 30 December 2024

Unified Extensible Firmware Interface (UEFI) is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system.

Tip: Disable Secure Boot in UEFI to be able to install Alpine Linux. Refer Secure boot page for enabling it after Alpine Linux is installed.

Disk layout for UEFI

Todo: This article is written with a PC-centric (i686+x86_64) point of view. Help making this article more applicable to other UEFI Architectures, particularly ARM, would be greatly appreciated.


Alpine Linux requires a root partition, but on UEFI systems an EFI System Partition is also required. The EFI System Partition must contain a bootloader program in \EFI\$bootloader.efi. [citation needed]

Regular UEFI boot has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. Unfortunately, some PC UEFI implementations have got this wrong and don't work properly. The most important of these can be viewed and edited with efibootmgr.

The correct way for this to work when booting off local disk is for a boot variable to point to a vendor-specific bootloader program in \EFI\$bootloader.efi on the EFI System Partition (ESP), a specially tagged partition.

If you don't already know what filesystem format you want your boot partition, choose vfat (i.e. FAT16 or FAT32). The root partition, and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading.

UEFI/GPT minimal layout

Mount point Partition Partition type Purpose Recommended minimum size
/boot or /efi /dev/sda1 Boot system partition for EFI 260 MiB
/ /dev/sda2 Alpine Linux root system OS 1–32 GiB

BIOS/MBR minimal layout

UEFI replaced the BIOS that was present in the boot ROM of all personal computers that are IBM PC compatible. UEFI provide backwards compatibility with the BIOS using CSM booting.

Mount point Partition Partition type Purpose Recommended minimum size
/boot /dev/sda1 Boot grub partition (optional) 100 MiB
/ /dev/sda2 Alpine Linux root system OS 1–32 GiB

BIOS/GPT minimal layout

Mount point Partition Partition type Purpose Recommended minimum size
None /dev/sda1 BIOS boot partition 8 MiB
/ /dev/sda2 Alpine Linux root system OS 1–32 GiB

Boot flags and boot partition

UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.

A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. This partition must not be formatted with a file system or mounted.

This material needs wiki syntax or style improvements ...

Please feel free to help us clean it up.

Boot process

BIOS boot process

BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk.

BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader. This is very messy. There's also the 2 TiB issue with MBR.

In order to make your drive more useful, it's split up into partitions - chunks of disk space which can be treated as independent drives from inside your OS. Windows (following on from MS-DOS) only supports one method for partitioning its boot drive on BIOS systems, which is MBR.

MBR cannot handle disks larger than 2 TiB (232 × 512 bytes). Therefore, it is impossible to use any drive space beyond 2 TiB using MBR layout. So if you're booting from it and use BIOS, you MUST use MBR - and you simply can't use any space beyond that if your boot drive is 2TB or bigger.

Modern motherboards (since approximately 2011 onwards) are using UEFI natively, but most can emulate BIOS through the CSM (Compatibility Support Module) to maintain support for BIOS-style booting.

UEFI boot process

Well, let's start with installers. It'll read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it. An app, written in the UEFI "OS". It can be anything! Here's classic text adventure Zork, as a UEFI app.

It's possible to make boot media which is valid for both UEFI and BIOS. Unfortunately, in a slightly user-unfriendly twist, you (the user) need to pick the right boot entry. For example, on the wife's PC, a USB stick gets listed as both "UEFI: Sandisk Cruzer Edge" and "USB: Sandisk Cruzer Edge". Just... make sure you pick the right entry. It's impossible to change mode after this point.

It uses a different partitioning system called GPT instead of MBR, and secondly it creates an extra ~100 meg partition called the "EFI System Partition" - a FAT32 partition where the boot loader apps get installed to (no more boot sectors).

Each OS will stick its boot loader somewhere in the ESP, then send a signal to the firmware to write this new loader's location into the CMOS. Each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot. This is why you don't do the old "unplug drive A when installing a different OS to drive B" thing, or swap cables, or anything like that. You should only have one ESP, the one on drive A.

Secure Boot

It's a way for your motherboard to prevent tampering of your OS (e.g. boot-sector viruses, or backdoors installed without your knowledge). You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmware like your GPU BIOS) are signed with a trusted key.

It works using cryptographic checksums and signatures. It stops your system from booting unsigned code. You can sign your own, and trust the certificate you used to do that signing. Or you can get the boot code signed by Microsoft - every motherboard has a small list of pre-trusted certificates which almost (always) includes Microsoft's certificates, which they currently let anyone use for a small fee.

Alpine Linux does not have a certificate which some other Linux distributions (mostly enterprise-related) have. This means that on many new computer systems, users have to first disable Secure Boot to be able to install Alpine Linux and the methods for doing this vary massively from one system to another, making this potentially quite difficult for users.

This is due to Microsoft's actions as a Certification Authority (CA) for Secure Boot. They sign programs/bootloaders on behalf of other trusted organizations so that their programs will run, but at great cost.. and there's nothing related to free software but affects to.. There's no Alpine Linux Certification like are with other enterprise related Linux.

Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates before operating system startup (like fwupdate and fwupd), and other utilities may live here too.

See Also