Create UEFI secureboot USB: Difference between revisions

From Alpine Linux
No edit summary
m (Invidian moved page Create UEFI seureboot USB to Create UEFI secureboot USB: There is a typo in the title)
(34 intermediate revisions by one other user not shown)
Line 1: Line 1:
This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.


== Creating a bootable Alpine Linux USB Stick from the command line ==
In this example we will use {{Path|/dev/sdX}} and $HOME. This will be different depending on your system. Substitute the paths in the examples below as necessary.


This process applies to Alpine Linux 1.9.0 or later, and results in a '''run-from-ram''' style installation.
== Create GPT boot partition ==


{{Warning|This process can potentially totally or partly erase the contents of your hard drive. For this reason, it is recommended to do this procedure using VirtualBox rather than your own computer.}}
Install {{Pkg|parted}}
{{Cmd | apk add parted }}


=== Requirements ===
Create a single UEFI boot partitions.
In order to follow this document, you will need:
{{warning| This will erase all content of your {{Path|/dev/sdX}}. Make sure that you use correct device.}}
* Alpine Linux CD-ROM ([[Downloads|Download]] a .iso file containing an Alpine release.)
* A USB drive (flash, external HD, card reader, etc.)


=== Alpine Linux from 3.3.0 and later ===
{{Cmd | parted --script /dev/sdX mklabel gpt
parted --script --align{{=}}optimal /dev/sdX mkpart ESP fat32 1MiB 100%
parted --script /dev/sdX set 1 boot on }}


From Alpine Linux 3.3.0, the generated ISO's are a hybridISO, which means they contain a valid MBR and can be raw copied directly to the USB stick, Hard Drive (If you really know what you're doing), or burnt to a CD/DVD.
== Create fat32 filesystem ==


The following '''dd''' instructions follow helpful guidance from https://wiki.voidlinux.eu/Live_Images wholly or in part.
Create a fat32 system with the name `Alpine`.


If the USB stick is in a Unix/Linux/OSX system, you will need to find out what the USB device is.  There are various utilities to determine the device name (e.g. {{Path|/dev/sdx}}) for your USB device.  One way is:
{{Cmd | mkfs.vfat -n ALPINE /dev/sdX1 }}


$ sudo fdisk -l
== Copy content of ISO image to filesystem ==


If it is still unclear which is your USB's device name, in Linux you could try <code>sudo lsblk -a</code> ;  or use {{Pkg|parted}} (<code>sudo parted -l</code>).
It is possible to mount the iso image and copy files with {{codeline|cp}} or {{codeline|rsync}} and it is also possible to use {{codeline|7z}} to extract content from the iso. In this example I will use the {{codeline|uniso}} utility from {{Pkg|alpine-conf}} package.


Then, in order to dd the iso, ensure that your usb drive is '''not''' mounted, as various desktop environments automatically mount usb pen drives:
{{Cmd | mount -t vfat /dev/sdX1 /mnt
cd /mnt
uniso < /path/to/alpine-3.8.2-x86_64.iso }}


  $ sudo umount /dev/sdx
== Create MOK Key ==
{{Cmd | openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN{{=}}Alpine Local CA/"
  openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER}}


Next, change to the directory where your Alpine .iso file is located, for example:
== Download and install rEFInd ==
Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current  version of rEFInd, refind-bin-0.11.4.zip. There may be a more recent version of rEFInd available when you download.


  $ cd ~/Downloads
{{Cmd | cd /mnt/efi/boot
  unzip /path/to/refind-bin-0.11.4.zip
mv refind-bin-0.11.4/refind/* .
rm -rf refind-bin-0.11.4}}


{{Warning|The following instruction will '''destroy''' data on the device being written to - be sure that you have identified your USB device name correctly first!}}
== Copy signed shim ==
Then you can use '''dd''' to copy the iso to it. Change <code>alpine.iso</code> in the following command to the name of your '''.iso''' file; and change <code>/dev/sdx</code> to the name of your pen drive's device name. The following command may take a few minutes to execute:
Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we  assume it is stored in your users download directory. Substitute the paths in the example below as necessary.
  $ sudo dd if=alpine.iso of=/dev/sdx && sync


{{:Include:Copying Alpine to Flash|USB stick}}
{{Cmd | cd /mnt/efi/boot
gunzip -c /path/to/shim-signed-0.2.tgz &#124; tar x --strip-components{{=}}1 --no-same-owner}}


=== Slow USB Devices ===
== Install Shim and Certificate ==
Specifying the 'waitusb=X' option at the end of the syslinux.cfg line might help with certain USB devices that take a bit longer to register. X stands for the amount of seconds kernel will wait before looking for the installation media.
{{Cmd | cp $HOME/alpine_local.cer /mnt/efi/boot
  append initrd=/boot/grsec.gz alpine_dev=usbdisk:vfat modules=loop,cramfs,sd-mod,usb-storage quiet '''waitusb=3'''
cp /mnt/efi/boot/refind_x64.efi /mnt/efi/boot/grubx64.efi
  cp /mnt/efi/boot/shim.efi /mnt/efi/boot/bootx64.efi }}


== See Also ==
== Sign the Bootloader and kernel with your key ==
{{:Include:Installing_Alpine_see_also}}
{{Cmd | sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/efi/boot/grubx64.efi
mv /mnt/efi/boot/grubx64.efi.signed /mnt/efi/boot/grubx64.efi
sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/boot/vmlinuz-vanilla
mv /mnt/boot/vmlinuz-vanilla.signed /mnt/boot/vmlinuz-vanilla}}
 
== Unmount the partition ==
Finally umount the disk
{{Cmd | cd ~ && umount /mnt}}
 
== Install the Keys and Enroll Hash ==
Insert the USB into the target PC and boot. When prompted select to enroll key, navigate to alpine_local.cer and add it. Then select enroll hash navigate to efi/boot/grubx64.efi select it and add the hash. Now reboot and given a bit of luck it should launch alpine. This step is a bit more complex than it needs to be due to the binary distribution of refind already being signed by the authors key. Once rEFInd is packaged it should simplify this step.


[[Category:Installation]]
[[Category:Installation]]

Revision as of 17:50, 21 April 2020

This article explains how to create an UEFI boot USB with parted and rEFInd. Unfortunately the version of GRUB that ships with ALpine Linux did not work and Gummiboot only worked on one of two machines I tested. I will submit a PR for a rEFInd package and update these instructions to simplify them given time.

In this example we will use /dev/sdX and $HOME. This will be different depending on your system. Substitute the paths in the examples below as necessary.

Create GPT boot partition

Install parted

apk add parted

Create a single UEFI boot partitions.

Warning: This will erase all content of your /dev/sdX. Make sure that you use correct device.


parted --script /dev/sdX mklabel gpt parted --script --align=optimal /dev/sdX mkpart ESP fat32 1MiB 100% parted --script /dev/sdX set 1 boot on

Create fat32 filesystem

Create a fat32 system with the name `Alpine`.

mkfs.vfat -n ALPINE /dev/sdX1

Copy content of ISO image to filesystem

It is possible to mount the iso image and copy files with cp or rsync and it is also possible to use 7z to extract content from the iso. In this example I will use the uniso utility from alpine-conf package.

mount -t vfat /dev/sdX1 /mnt cd /mnt uniso < /path/to/alpine-3.8.2-x86_64.iso

Create MOK Key

openssl req -new -x509 -newkey rsa:2048 -keyout $HOME/alpine_local.key -out $HOME/alpine_local.crt -nodes -days 3650 -subj "/CN=Alpine Local CA/" openssl x509 -in $HOME/alpine_local.crt -out $HOME/alpine_local.cer -outform DER

Download and install rEFInd

Download the binary zip file of rEFInd from http://www.rodsbooks.com/refind/getting.html. In this example we will use the current version of rEFInd, refind-bin-0.11.4.zip. There may be a more recent version of rEFInd available when you download.

cd /mnt/efi/boot unzip /path/to/refind-bin-0.11.4.zip mv refind-bin-0.11.4/refind/* . rm -rf refind-bin-0.11.4

Copy signed shim

Download Matthew J. Garrett's signed shim from http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz. In this example we assume it is stored in your users download directory. Substitute the paths in the example below as necessary.

cd /mnt/efi/boot gunzip -c /path/to/shim-signed-0.2.tgz | tar x --strip-components=1 --no-same-owner

Install Shim and Certificate

cp $HOME/alpine_local.cer /mnt/efi/boot cp /mnt/efi/boot/refind_x64.efi /mnt/efi/boot/grubx64.efi cp /mnt/efi/boot/shim.efi /mnt/efi/boot/bootx64.efi

Sign the Bootloader and kernel with your key

sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/efi/boot/grubx64.efi mv /mnt/efi/boot/grubx64.efi.signed /mnt/efi/boot/grubx64.efi sbsign --key $HOME/alpine_local.key --cert $HOME/alpine_local.crt /mnt/boot/vmlinuz-vanilla mv /mnt/boot/vmlinuz-vanilla.signed /mnt/boot/vmlinuz-vanilla

Unmount the partition

Finally umount the disk

cd ~ && umount /mnt

Install the Keys and Enroll Hash

Insert the USB into the target PC and boot. When prompted select to enroll key, navigate to alpine_local.cer and add it. Then select enroll hash navigate to efi/boot/grubx64.efi select it and add the hash. Now reboot and given a bit of luck it should launch alpine. This step is a bit more complex than it needs to be due to the binary distribution of refind already being signed by the authors key. Once rEFInd is packaged it should simplify this step.