UEFI Secure Boot
This page documents the procedure to enable UEFI Secure Boot after Alpine Linux is installed. To install Alpine Linux, secure boot needs to be disabled in UEFI firmware.
Mounting ESP
Prepare mount point for UEFI partition (ESP) at /boot/efi:
# install -d -m 000 /boot/efi
Add the following line to /etc/fstab as follows:
Contents of /etc/fstab
Mount it:
# mount /boot/efi
Generating own UEFI keys
Install package efi-mkkeys:
# apk add efi-mkkeys
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
# mkdir -p /etc/uefi-keys/vendor # cd /etc/uefi-keys/vendor # for i in PK KEK db dbx; do efi-readvar -v $i -o $i.esl; done
Generate your self-signed PK, KEK and db key, including .esl and .auth files:
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
Now you can uninstall efi-mkkeys if you want:
# apk del efi-mkkeys
Generating Unified Kernel Image
Install package secureboot-hook, systemd-efistub (Alpine v3.22+) or gummiboot-efistub (prior v3.22), and efibootmgr:
# apk add secureboot-hook systemd-efistub efibootmgr
Adjust parameter cmdline
in /etc/kernel-hooks.d/secureboot.conf. It should not contain an initrd=
parameter! Example of a valid cmdline
:
cmdline="root=UUID=<uuid-of-your-root-fs> modules=ext4"
Run kernel hooks:
# apk fix kernel-hooks
Disable mkinitfs trigger:
# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
Add boot entry:
# efibootmgr --disk <dev> --part 1 --create --label 'Alpine Linux' --load /Alpine/linux-lts.efi --verbose
Note: This procedure only needs to be done once; after that the Unified Kernel Image will be generated automatically every time the kernel is upgraded.
Enrolling UEFI keys
Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).
Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.
- Reboot system and enter ThinkPad Setup (F1).
- Go to Security > Secure Boot
- Change Secure Boot to Enabled
- Reset to Setup Mode
- Go to Key Management
- Authorized Signature Database (DB)
- Enroll DB > select your Flash Drive > select db.auth
- Delete DB > delete Microsoft certificates (optional)
- Key Exchange Key (KEK)
- Enroll KEK > select your Flash Drive > select KEK.auth
- Delete KEK > delete Microsoft certificates (optional)
- Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
- Go to top, Restart > Exit Saving Changes
Some devices, such as HP Pavilion laptops, cannot enroll keys through the interface. Instead, you must follow the following steps (steps 1-5 and 9-12 may vary depending on the computer, they are for HP Pavilion laptops as an example):
- Reboot system and enter HP Bios Setup Utility (F10).
- Go to System Configuration
- Change Secure Boot to Disabled
- Select Clear All Secure Boot Keys
- Press F10 to save settings
- Reboot system and enter Alpine Linux
- Enable the Community Repository
- Run the following commands:
# apk update # apk add sbctl # sbctl create-keys # sbctl sign /boot/efi/Alpine/linux-lts.efi # sbctl enroll-keys -m
- Reboot system and enter HP Bios Setup Utility (F10).
- Go to System Configuration
- Change Secure Boot to Enabled
- Press F10 to save settings
Note: If you needed to use sbctl, you will have to run sbctl sign /boot/efi/Alpine/linux-lts.efi
every time you upgrade the kernel. You should not need to disable secure boot, so long as you sign the new Unified Kernel Image before you reboot.
See also
- Initramfs init
mkinitfs-bootparam(7)