UEFI Secure Boot

This page documents the procedure to enable UEFI Secure Boot after Alpine Linux is installed. To install Alpine Linux, secure boot needs to be disabled in UEFI firmware.

Mounting ESP

Prepare mount point for UEFI partition (ESP) at /boot/efi:

# install -d -m 000 /boot/efi

Add the following line to /etc/fstab as follows:

Mount it:

# mount /boot/efi

Generating own UEFI keys

Install package efi-mkkeys:

# apk add efi-mkkeys

Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:

# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done

Generate your self-signed PK, KEK and db key, including .esl and .auth files:

# efi-mkkeys -s "Your Name" -o /etc/uefi-keys

Now you can uninstall efi-mkkeys if you want:

# apk del efi-mkkeys

Generating Unified Kernel Image

Install package secureboot-hook, systemd-efistub (Alpine v3.22+) or gummiboot-efistub (prior v3.22), and efibootmgr:

# apk add secureboot-hook systemd-efistub efibootmgr

Adjust parameter cmdline in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd= parameter! Example of a valid cmdline:

cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"

Run kernel hooks:

# apk fix kernel-hooks

Disable mkinitfs trigger:

# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf

Add boot entry:

# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose

Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.

Enrolling UEFI keys

Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).

Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.

1. Reboot system and enter ThinkPad Setup (F1).
2. Go to Security > Secure Boot
3. Change Secure Boot to Enabled
4. Reset to Setup Mode
5. Go to Key Management
6. Authorized Signature Database (DB)
   • Enroll DB > select your Flash Drive > select db.auth
   • Delete DB > delete Microsoft certificates (optional)
7. Key Exchange Key (KEK)
   • Enroll KEK > select your Flash Drive > select KEK.auth
   • Delete KEK > delete Microsoft certificates (optional)
8. Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
9. Go to top, Restart > Exit Saving Changes

Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):

1. Reboot system and enter HP Bios Setup Utility (F10).
2. Go to System Configuration
3. Change Secure Boot to Disabled
4. Select Clear All Secure Boot Keys
5. Press F10 to save settings
6. Reboot system and enter Alpine Linux
7. Enable the Community Repository
8. Run the following commands:

# apk update # apk add sbctl # sbctl create-keys # sbctl sign /boot/efi/Alpine/linux-lts.efi # sbctl enroll-keys -m

9. Reboot system and enter HP Bios Setup Utility (F10).
10. Go to System Configuration
11. Change Secure Boot to Enabled
12. Press F10 to save settings

Note: If you needed to use sbctl, you will have to run sbctl sign /boot/efi/Alpine/linux-lts.efi every time you upgrade the kernel. You should not need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.

See also

• Initramfs init
• mkinitfs-bootparam(7)

• Sakaki's EFI Install Guide/Configuring Secure Boot - Gentoo Wiki
• Unified Extensible Firmware Interface/Secure Boot - ArchWiki
• efi-mkuki: EFI Unified Kernel Image Maker (used by the secureboot-hook package)