UEFI Secure Boot: Difference between revisions

Revision as of 11:35, 7 May 2023

Mounting ESP

Prepare mount point for UEFI partition (ESP) at /boot/efi:

# install -d -m 000 /boot/efi

Add the following line to /etc/fstab:

Contents of /etc/fstab

...
UUID=<first-partition-uuid>  /boot/efi  vfat  rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2

Mount it:

# mount /boot/efi

Generating own UEFI keys

Install package efi-mkkeys:

# apk add efi-mkkeys

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

# efi-mkkeys -s "Your Name" -o /etc/uefi-keys

Now you can uninstall efi-mkkeys if you want:

# apk del efi-mkkeys

Generating Unified Kernel Image

Install package secureboot-hook and efibootmgr:

# apk add secureboot-hook efibootmgr

Adjust parameter cmdline in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd= parameter! Example of a valid cmdline:

cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"

Run kernel hooks:

# apk fix kernel-hooks

Disable mkinitfs trigger:

# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf

Add boot entry:

# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

Enrolling UEFI keys

Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

Reboot system and enter ThinkPad Setup (F1).
Go to Security > Secure Boot
Change Secure Boot to Enabled
Reset to Setup Mode
Go to Key Management
Authorized Signature Database (DB)
- Enroll DB > select your Flash Drive > select db.auth
- Delete DB > delete Microsoft certificates (optional)
Key Exchange Key (KEK)
- Enroll KEK > select your Flash Drive > select KEK.auth
- Delete KEK > delete Microsoft certificates (optional)
Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
Go to top, Restart > Exit Saving Changes

Resources

@@ Line 2: / Line 2: @@
 Prepare mount point for UEFI partition (ESP) at {{path|/boot/efi}}:
-{{cmd|install -d -m 000 /boot/efi}}
+{{cmd|# install -d -m 000 /boot/efi}}
 Add the following line to {{path|/etc/fstab}}:
-  UUID=<first-partition-uuid>  /boot/efi  vfat  rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
+{{Cat|/etc/fstab|...
+UUID{{=}}<first-partition-uuid>  /boot/efi  vfat  rw,noatime,fmask{{=}}0022,dmask{{=}}0022,codepage{{=}}437,iocharset{{=}}ascii,shortname{{=}}mixed,utf8,errors{{=}}remount-ro 0 2}}
 Mount it:
-{{cmd|mount /boot/efi}}
+{{cmd|# mount /boot/efi}}
 == Generating own UEFI keys ==
 Install package {{pkg|efi-mkkeys}}:
-{{cmd|apk add efi-mkkeys}}
+{{cmd|# apk add efi-mkkeys}}
 Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
-{{cmd|mkdir -p /etc/uefi-keys/vendor
-cd /etc/uefi-keys/vendor
+{{cmd|# mkdir -p /etc/uefi-keys/vendor
-for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}
+&#35; cd /etc/uefi-keys/vendor
+&#35; for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done }}
 Generate your self-signed PK, KEK and db key, including .esl and .auth files:
-{{cmd|efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}
+{{cmd|# efi-mkkeys -s "Your Name" -o /etc/uefi-keys}}
 Now you can uninstall {{pkg|efi-mkkeys}} if you want:
-{{cmd|apk del efi-mkkeys}}
+{{cmd|# apk del efi-mkkeys}}
 == Generating Unified Kernel Image ==
 Install package {{pkg|secureboot-hook}} and {{pkg|efibootmgr}}:
-{{cmd|apk add secureboot-hook efibootmgr}}
+{{cmd|# apk add secureboot-hook efibootmgr}}
 Adjust parameter <code>cmdline</code> in {{path|/etc/kernel-hooks.d/secureboot.conf}}. It should '''not''' contain an <code>initrd=</code> parameter! Example of a valid <code>cmdline</code>:
-  cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"
+<pre>cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"</pre>
 Run kernel hooks:
-{{cmd|apk fix kernel-hooks}}
+{{cmd|# apk fix kernel-hooks}}
 Disable {{pkg|mkinitfs}} trigger:
-{{cmd|echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}
+{{cmd|# echo 'disable_trigger{{=}}yes' >> /etc/mkinitfs/mkinitfs.conf}}
 Add boot entry:
-{{cmd|efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}
+{{cmd|# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose}}
 Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.
@@ Line 67: / Line 80: @@
 == Resources ==
-* https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
+* [https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki]
-* https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
+* [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Unified Extensible Firmware Interface/Secure Boot - ArchWiki]
-* https://github.com/jirutka/efi-mkuki (used by the {{pkg|secureboot-hook}} package)
+* [https://github.com/jirutka/efi-mkuki efi-mkuki: EFI Unified Kernel Image Maker] (used by the {{pkg|secureboot-hook}} package)
 [[Category:Booting]]