=> #software
I'm toying with alpine linux since a while. I am truely impressed by it's slim footprint on the disk. So I have tried it on a Dell Notebook as a "sys" install (everything on disk). Needless to say, it worked like a charm. But how about adding uefi/grub boot and disk encryption? While reading up on available documentation, I came across a detailed post at wejn.org. The author (Michal Jirků?) makes two points:
Now that shell script is full of wonders: using nvme disks; using zfs; using software RAID (mdadm) for the non-zfs parts; and on, all the way to using secure boot with his own keys ... what a ride.
=> https://wejn.org/2021/01/alpinelinux-secure-boot-with-full-encryption/
This bit really triggered my interest:
There were quite a number of puzzle pieces, which I had been searching before, everything in one place. Fabulous!
So I set out to install alpine linux on a Dell Latitude E6230 with a similar structure:
The commands to achieve this are listed below. It's not strictly a shell script. Be sure to adapt sizes and key material to your liking. I did repeat this installation on another notebook. Everything worked except for the secureboot step. So I tried another notebook (Dell Latitude E7470) and it worked on the first attempt. So either I did some mistake or omission, or that particular UEFI did not successfully replace the keys.
If you try this, don't follow it blindly! I don't want to hear that you bricked your system. Nonetheless, have the appropriate amount of fun!
Thanks to Michal and others for all the documentation!
Cheers,
~ew
=> https://alpinelinux.org/ | Home
# --- the gory details ----------------------------------------------- # boot an alpinelinux installation stick, possibly with uefi enabled # once at the login prompt, login as root # --- install a few more tools apk add e2fsprogs lsblk parted cryptsetup lvm2 iproute2 bash # --- delete old boot block and partition table dd if=/dev/zero of=/dev/sda bs=1M count=20 # --- create new partitions; there might be better ways parted /dev/sda \ mklabel gpt \ mkpart ESP fat32 2048s 256M \ set 1 esp on set 1 boot on \ mkpart BOOT ext2 256M 512M \ mkpart OS ext2 1G 64G \ print partprobe -s /dev/sda # --- Partition 1: Efi System Partition ------------------------------ # format mkfs.vfat -F 32 /dev/sda1 # /boot/efi # --- Partition 2: ext2 for /boot ------------------------------------ # create a key file. This mantra is intented to be used interactively, # hence "echo -n", because in keyfiles, \n will NOT end the input, but # EOF will. echo -n "mai-sikkritt-mantra" > ./p2.mantra chmod 0600 ./p2.mantra # create a crypto_luks1 container on partition 2 (boot) # use luks1 format! cryptsetup luksFormat --type luks1 -d ./p2.mantra /dev/sda2 # open and format cryptsetup open -d ./p2.mantra /dev/sda2 sda2_crypt mkfs.ext2 /dev/mapper/sda2_crypt # --- Partition 3: crypto_luks1, hosting lvm2 ------------------------ # create a keyfile. This mantra is not intented to be used interactively. touch ./crypto_keyfile.bin chmod 0600 ./crypto_keyfile.bin dd bs=512 count=4 if=/dev/urandom of=./crypto_keyfile.bin # format and open crypto_luks1 container cryptsetup luksFormat --type luks1 -d ./crypto_keyfile.bin /dev/sda3 cryptsetup open -d ./crypto_keyfile.bin /dev/sda3 sda3_crypt # use as physical volume in volume group 0 pvcreate /dev/mapper/sda3_crypt vgcreate vg0 /dev/mapper/sda3_crypt # create 3 logical volumes and format them lvcreate -a y -l 2048 -n lvroot vg0 lvcreate -a y -l 2048 -n lvswap vg0 lvcreate -a y -l 2048 -n lvhome vg0 mkfs.ext4 /dev/mapper/vg0-lvroot mkswap /dev/mapper/vg0-lvswap swapon /dev/mapper/vg0-lvswap mkfs.ext4 /dev/mapper/vg0-lvhome # --- mount target tree on /mnt -------------------------------------- mount -t ext4 /dev/mapper/vg0-lvroot /mnt mkdir /mnt/boot mount -t ext2 /dev/mapper/sda2_crypt /mnt/boot mkdir /mnt/boot/efi mount /dev/sda1 /mnt/boot/efi mkdir /mnt/home mount -t ext4 /dev/mapper/vg0-lvhome /mnt/home # copy key files cp -a ./p2.mantra ./crypto_keyfile.bin /mnt/ # --- install alpinelinux on /mnt ------------------------------------ # this part can be automated by creating and editing an "answer file" setup-timezone # UTC setup-alpine -q # us us-altgr-intl setup-sshd # openssh setup-ntp # chrony apk add efibootmgr grub-efi export BOOTLOADER=grub export USE_EFI=1 setup-disk -m sys /mnt # --- now play the chroot trick :-) ---------------------------------- # a number of things need to be configured in the newly # installed system. So we make it functional ... mount -t proc /proc /mnt/proc mount --rbind /dev /mnt/dev mount --make-rslave /mnt/dev mount --rbind /sys /mnt/sys # enter chroot chroot /mnt PS1="(chroot) $PS1" apk add grub grub-efi efibootmgr # probably unneeded apk del syslinux # optional # create a configuration to generate a grub.cfg file blkid /dev/sda3 # get UUID, is used in next step cat </etc/default/grub GRUB_DISTRIBUTOR="Alpine" GRUB_TIMEOUT=5 GRUB_DISABLE_SUBMENU=y GRUB_DISABLE_RECOVERY=true GRUB_DISABLE_OS_PROBER=y GRUB_PRELOAD_MODULES="part_gpt cryptodisk luks ext2" GRUB_ENABLE_CRYPTODISK=y GRUB_DISABLE_LINUX_PARTUUID=true GRUB_DISABLE_LINUX_UUID=true GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4 quiet rootfstype=ext4 cryptroot=UUID= cryptdm=sda3_crypt cryptkey" EOF # generate grub.cfg grub-mkconfig -o /boot/grub/grub.cfg # install grub -> /boot/efi/EFI/alpine/grubx64.efi grub-install --target=x86_64-efi --efi-directory=/boot/efi # generate initramfs; this stage must decrypt sda3, start the # volume group and mount lvroot; therefore a few more features # need to be enabled; cryptkey will include file /crypto_keyfile.bin cat < /etc/mkinitfs/mkinitfs.conf features="ata base ide scsi usb virtio ext2 ext4 lvm cryptsetup cryptkey" EOF # refresh initramfs-lts mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(ls /lib/modules/) # enable cryptsetup to open these partitions in the booted system cat < > /etc/conf.d/dmcrypt target='sda2_crypt' source='/dev/sda2' key='/p2.mantra' target='sda3_crypt' source='/dev/sda3' key='/crypto_keyfile.bin' # fin EOF # make sda2_crypt available during boot apk add cryptsetup-openrc rc-update add dmcrypt boot rc-update add lvm sysinit # ??? sysvinit or boot? # edit /etc/fstab; "lsblk -f" is your friend cat < > /etc/fstab UUID= /boot ext4 rw,relatime 0 2 UUIE= swap swap defaults 0 0 EOF rc-update add swap boot # --- secureboot ----------------------------------------------------- # first a set of properly formatted key,cert files are generated # files: {KEK,PK,db}.{auth,cer,crt,esl,key} apk add efi-mkkeys sbsigntool mkdir /etc/uefi-keys efi-mkkeys -s "Your Name" -o /etc/uefi-keys cp /etc/uefi-keys/*.auth /boot/efi/ # there is a funny error, which can be worked around sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/alpine/grubx64.efi # now we need to sign grub sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt /boot/efi/EFI/alpine/grubx64.efi mv /boot/efi/EFI/alpine/grubx64.efi.signed /boot/efi/EFI/alpine/grubx64.efi exit # chroot exited umount -l /mnt/dev umount -l /mnt/proc umount -l /mnt/sys umount /mnt/boot/efi umount /mnt/boot umount /mnt/home umount /mnt swapoff /dev/mapper/vg0-lvswap vgchange -a n cryptsetup close sda3_crypt cryptsetup close sda2_crypt reboot # remove the usb stick # enter UEFI # - enable secure boot # - enable custom key management # - replace keys db KEK PK (apparently order is significant) with the # correspondig *.auth files # - create a uefi boot entry, if not there # - save + exit # # Now booting up should # - show grub asking for the mantra of sda2 # - show the grub.cfg menu # - boot alpine linux and start the system without any further questions # # Time to set a password on UEFI # Time for post-install activities # # Congrats!
text/gemini
This content has been proxied by September (ba2dc).