UEFI: Difference between revisions

Revision as of 08:02, 1 November 2025

Unified Extensible Firmware Interface(UEFI) is a specification for the firmware architecture of a computing platform. This page documents how Alpine Linux works with devices using UEFI firmware.

Tip: To install Alpine Linux Disable Secure Boot in UEFI firmware. Secure boot page has instructions for enabling it after Alpine Linux is installed.

UEFI boot process

UEFI has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. These boot entries can be viewed and edited with efibootmgr utility available in the efibootmgr package.

UEFI requires a partition called "EFI System Partition" (ESP) - a FAT32 partition where the OS bootloader apps get installed to. UEFI firmware can read ESP partition, a UDF or FAT32-formatted USB drive or DVD, and look for OS boot loaders and runs it.

The format of the file path is defined as <EFI_SYSTEM_PARTITION>\EFI\BOOT\BOOT<MACHINE_TYPE_SHORT_NAME>.EFI; for example, the file path to the OS loader on an x86-64 system is \efi\boot\bootx64.efi and \efi\boot\bootaa64.efi on ARM64 architecture.

Disk layout for UEFI

UEFI-GPT layout is the recommended layout for UEFI. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition. UEFI booting does not involve any "boot" flag, as that's it's a need only for BIOS booting.

UEFI-GPT layout

Booting UEFI systems from GPT-partitioned disks is commonly called UEFI-GPT booting. On UEFI systems, Alpine Linux requires an EFI System Partition(ESP) in addition to the (/) root partition. A minimal UEFI-GPT layout is given below:

Mount point	Partition	Partition type Purpose	Recommended minimum size
/boot or /efi or /boot/efi	/dev/sda1	EFI system partition	260 MiB
/	/dev/sda2	Alpine Linux root system OS	1–32 GiB

BIOS-MBR layout

BIOS-style booting from MBR-partitioned disks is called BIOS-MBR, regardless of it being performed on UEFI or legacy BIOS-based systems. Such a boot scheme is commonly called UEFI-MBR.

Despite the fact that the UEFI specification requires MBR partition tables to be fully supported, some UEFI firmware implementations may immediately switch to BIOS-based Compatibility Support Module (CSM) booting depending on the type of boot disk's partition table, effectively preventing UEFI booting to be performed from EFI System Partition on MBR-partitioned disks. Avoid this except on BIOS only motherboards and CSM is a deprecated feature as of late 2020's.

Mount point	Partition	Partition type Purpose	Recommended minimum size
/boot	/dev/sda1	Boot grub partition (optional)	100 MiB
/	/dev/sda2	Alpine Linux root system OS	1–32 GiB

BIOS boot process

BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed disk. BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader.

MBR cannot handle disks larger than 2 TiB (2³² × 512 bytes). Therefore, it is impossible to use any drive space beyond 2 TiB using MBR layout.

BIOS is deprecated since approximately 2011 onwards and modern motherboards are using UEFI.

BIOS-GPT layout

Booting legacy BIOS-based systems from GPT disks is also possible, and such a boot scheme is commonly called BIOS-GPT. A BIOS boot partition with "boot" flag is only required when using this layout. This partition must not be formatted with a file system or mounted. Not recommended

Mount point	Partition	Partition type Purpose	Recommended minimum size
None	/dev/sda1	BIOS boot partition	8 MiB
/	/dev/sda2	Alpine Linux root system OS	1–32 GiB

Secure boot

When the device is powered ON, secure boot checks the digital signatures of the bootloader and operating system. If the signatures are valid and match the trusted keys stored in the system, the boot process continues. If not, secure boot halts the process to protect against tampering. You can provide a list of certificates you trust, then the firmware enforces that everything involved with the boot process (not just the boot loader, but the OS kernel itself, and all your device firmware like your GPU BIOS) are signed with a trusted key. It works using cryptographic checksums and signatures. It stops your system from booting unsigned code. You can sign your own, and trust the certificate you used to do that signing.

Almost all new computer systems i.e every motherboard has a small list of pre-trusted certificates which almost (always) includes Microsoft's certificates, which they currently let anyone use for a small fee. This is due to Microsoft's actions as a Certification Authority (CA) for Secure Boot. They sign programs/bootloaders on behalf of other trusted organizations so that their programs will run, but at a cost.

Alpine Linux does not have a certificate which some other Linux distributions (mostly enterprise-related) have. This means that on new computer systems, users have to first disable Secure Boot to be able to install Alpine Linux.

Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates from motherboard manufacturers which can run before operating system startup (like fwupdate/fwupd), and other utilities may live here too.

@@ Line 1: / Line 1: @@
 {{TOC right}}
-Unified Extensible Firmware Interface (UEFI) is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. This page documents how Alpine Linux works with devices using UEFI firmware.
+[https://en.wikipedia.org/wiki/UEFI Unified Extensible Firmware Interface(UEFI)] is a specification for the firmware architecture of a computing platform. This page documents how Alpine Linux works with devices using UEFI firmware.
-{{Todo|This article is written with a PC-centric (i686+x86_64) point of view. Help making this article more applicable to other UEFI Architectures, particularly ARM, would be greatly appreciated.}}
+{{Tip|To [[Installation|install]] Alpine Linux''' Disable Secure Boot''' in UEFI firmware. [[UEFI_Secure_Boot|Secure boot]] page has instructions for enabling it after Alpine Linux is installed.}}
+== UEFI boot process ==
+UEFI has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. These boot entries can be viewed and edited with <Code>efibootmgr</Code> utility available in the {{pkg|efibootmgr}} package.
+UEFI requires a partition called "EFI System Partition" (ESP) - a FAT32 partition where the OS bootloader apps get installed to. UEFI firmware can read ESP partition, a UDF or FAT32-formatted USB drive or DVD, and look for OS boot loaders and runs it.
+The format of the file path is defined as <EFI_SYSTEM_PARTITION>\EFI\BOOT\BOOT<MACHINE_TYPE_SHORT_NAME>.EFI; for example, the file path to the OS loader on an x86-64 system is {{Path|\efi\boot\bootx64.efi}} and {{Path|\efi\boot\bootaa64.efi}} on ARM64 architecture.
 == Disk layout for UEFI ==
-Alpine Linux requires a root partition, but on UEFI systems an EFI System Partition(ESP) is also required. The EFI System Partition must contain a bootloader program in {{path|\EFI\$bootloader.efi}}.{{citation needed}}
-Regular UEFI boot has several lists of possible boot entries, stored in UEFI config variables (normally in NVRAM), and boot order config variables stored alongside them. These boot entries can be viewed and edited with <Code>efibootmgr</Code> utility available in the {{pkg|efibootmgr}} package.
+[[#UEFI-GPT layout|UEFI-GPT layout]] is the recommended layout for UEFI. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition. UEFI booting does not involve any "boot" flag, as that's it's a need only for BIOS booting.
-The correct way for this to work when booting off local disk is for a boot variable to point to a vendor-specific bootloader program in <code>\EFI\$bootloader.efi</code> on the EFI System Partition (ESP), a specially tagged partition.
+=== UEFI-GPT layout ===
-The recommended filesystem format for your EFI System Partition (ESP) is '''vfat''' (i.e. FAT16 or FAT32). The '''root partition''', and any additional partitions or LVM volume groups, may be in any format that the kernel is capable of reading.
+Booting UEFI systems from GPT-partitioned disks is commonly called UEFI-GPT booting. On UEFI systems, Alpine Linux requires an EFI System Partition(ESP) in addition to the (/) root partition. A minimal UEFI-GPT layout is given below:
-=== UEFI/GPT minimal layout ===
 {| class="wikitable"
@@ Line 32: / Line 37: @@
 |}
-=== BIOS layouts ===
+=== BIOS-MBR layout ===
+BIOS-style booting from MBR-partitioned disks is called BIOS-MBR, regardless of it being performed on UEFI or legacy BIOS-based systems. Such a boot scheme is commonly called UEFI-MBR.
-==== BIOS/MBR minimal layout ====
+Despite the fact that the UEFI specification requires MBR partition tables to be fully supported, some UEFI firmware implementations may immediately switch to BIOS-based Compatibility Support Module (CSM) booting depending on the type of boot disk's partition table, effectively preventing UEFI booting to be performed from EFI System Partition on MBR-partitioned disks. '''Avoid this except on [[#BIOS boot process|BIOS only motherboards]] and CSM is a deprecated feature as of late 2020's'''.
-UEFI replaced the BIOS that was present in the boot ROM of all personal computers that are IBM PC compatible. UEFI provide backwards compatibility with the BIOS using CSM booting.
 {| class="wikitable"
@@ Line 54: / Line 60: @@
 |}
-==== BIOS/GPT minimal layout ====
+== BIOS boot process ==
+BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed disk.  BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader.
+MBR cannot handle disks larger than 2 TiB (2<sup>32</sup> × 512 bytes). Therefore, it is impossible to use any drive space beyond 2 TiB using MBR layout.
+BIOS is '''deprecated''' since approximately 2011 onwards and modern motherboards are using UEFI.
+=== BIOS-GPT layout ===
+Booting legacy BIOS-based systems from GPT disks is also possible, and such a boot scheme is commonly called BIOS-GPT. A BIOS boot partition with "boot" flag is only required when using this layout. This partition must '''not''' be formatted with a file system or mounted. '''Not recommended'''
 {| class="wikitable"
@@ Line 73: / Line 89: @@
 |}
-=== Boot flags and boot partition ===
-UEFI booting does not involve any "boot" flag, that's it's a need only for BIOS booting. The UEFI booting relies solely on the boot entries in NVRAM. Parted and its front-ends use a "boot" flag on GPT to indicate that a partition is an EFI system partition.
-A BIOS boot partition is only required when using GRUB for BIOS booting from a GPT disk. This partition must not be formatted with a file system or mounted.
-== Boot process ==
-=== BIOS boot process ===
-BIOS mainly supports two methods of booting - loading approximately 448 bytes of 8088 machine code from the start of a floppy disk, or the same from the start of a fixed IDE disk.
-BIOS can only assume one boot loader occupying the start of hard drive. So each OS overwrites it with its own boot loader.
-MBR cannot handle disks larger than 2 TiB (2<sup>32</sup> × 512 bytes). Therefore, it is impossible to use any drive space beyond 2 TiB using MBR layout. So if you're booting from it and use BIOS, you MUST use MBR - and you simply can't use any space beyond that if your boot drive is 2TB or bigger.
-Modern motherboards (since approximately 2011 onwards) are using UEFI natively, but most can emulate BIOS through the CSM (Compatibility Support Module) to maintain support for BIOS-style booting.
-=== UEFI boot process ===
-UEFI firmware can read a UDF or FAT32-formatted USB drive or DVD, and look for the file /efi/boot/bootx64.efi and run it.
-UEFI uses a partitioning system called GPT instead of MBR, and needs a partition called "EFI System Partition" (ESP) - a FAT32 partition where the boot loader apps get installed to.
-Each OS will stick its boot loader somewhere in the ESP and each entry installed in this manner will get its own listing in your "boot devices" list on the firmware - so if you installed MACOSX, you'll have "MACOSX Boot Manager" as an entry next to your DVD drive and hard drive after you reboot.
 == Secure boot ==
@@ Line 107: / Line 98: @@
 Alpine Linux does not have a certificate which some other Linux distributions (mostly enterprise-related) have. This means that on new computer systems, users have to first ''' disable Secure Boot to be able to install Alpine Linux'''.
-{{Tip|''' Disable Secure Boot in UEFI''' firmware to be able to [[Installation|install]] Alpine Linux. Refer [[UEFI_Secure_Boot|Secure boot]] page for enabling it after Alpine Linux is installed.}}
 Most of the programs that are expected to run in the UEFI environment are boot loaders, but others exist too. There are also programs to deal with firmware updates from motherboard manufacturers which can run before operating system startup (like <Code>fwupdate/fwupd</Code>), and other utilities may live here too.