UEFI Secure Boot

From Alpine Linux
Revision as of 19:46, 9 August 2021 by Jirutka (talk | contribs)
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Jirutka on 9 Aug 2021.)

Mounting ESP

Prepare mount point for UEFI partition (ESP) at /boot/efi:

install -d -m 000 /boot/efi

Add the following line to /etc/fstab:

 UUID=<first-partition-uuid>  /boot/efi  vfat  rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2

Mount it:

mount /boot/efi

Generating own UEFI keys

Install package efi-mkkeys:

apk add efi-mkkeys

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

mkdir -p /etc/uefi-keys/vendor cd /etc/uefi-keys/vendor for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

efi-mkkeys -s "Your Name" -o /etc/uefi-keys

Now you can uninstall efi-mkkeys if you want:

apk del efi-mkkeys

Generating Unified Kernel Image

Install package secureboot-hook and efibootmgr:

apk add secureboot-hook efibootmgr

Adjust parameter cmdline in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd= parameter! Example of a valid cmdline:

 cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"

Run kernel hooks:

apk fix kernel-hooks

Disable mkinitfs trigger:

echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf

Add boot entry:

efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose

Enrolling UEFI keys

Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

  1. Reboot system and enter ThinkPad Setup (F1).
  2. Go to Security > Secure Boot
  3. Change Secure Boot to Enabled
  4. Reset to Setup Mode
  5. Go to Key Management
  6. Authorized Signature Database (DB)
    • Enroll DB > select your Flash Drive > select db.auth
    • Delete DB > delete Microsoft certificates (optional)
  7. Key Exchange Key (KEK)
    • Enroll KEK > select your Flash Drive > select KEK.auth
    • Delete KEK > delete Microsoft certificates (optional)
  8. Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
  9. Go to top, Restart > Exit Saving Changes

Resources