UEFI Secure Boot
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
Mounting ESP
Prepare mount point for UEFI partition (ESP) at /boot/efi:
install -d -m 000 /boot/efi
Add the following line to /etc/fstab:
UUID=<first-partition-uuid> /boot/efi vfat rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
Mount it:
mount /boot/efi
Generating own UEFI keys
Install package efi-mkkeys:
apk add efi-mkkeys
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
mkdir -p /etc/uefi-keys/vendor cd /etc/uefi-keys/vendor for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done
Generate your self-signed PK, KEK and db key, including .esl and .auth files:
efi-mkkeys -s "Your Name" -o /etc/uefi-keys
Now you can uninstall efi-mkkeys if you want:
apk del efi-mkkeys
Generating Unified Kernel Image
Install package secureboot-hook and efibootmgr:
apk add secureboot-hook efibootmgr
Adjust parameter cmdline
in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd=
parameter! Example of a valid cmdline
:
cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"
Run kernel hooks:
apk fix kernel-hooks
Disable mkinitfs trigger:
echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
Add boot entry:
efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose
Enrolling UEFI keys
Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).
Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.
- Reboot system and enter ThinkPad Setup (F1).
- Go to Security > Secure Boot
- Change Secure Boot to Enabled
- Reset to Setup Mode
- Go to Key Management
- Authorized Signature Database (DB)
- Enroll DB > select your Flash Drive > select db.auth
- Delete DB > delete Microsoft certificates (optional)
- Key Exchange Key (KEK)
- Enroll KEK > select your Flash Drive > select KEK.auth
- Delete KEK > delete Microsoft certificates (optional)
- Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
- Go to top, Restart > Exit Saving Changes