From b18efc9901c56a7d2adfa6dc326b7dfd91c304ad Mon Sep 17 00:00:00 2001 From: Luc Date: Tue, 24 Dec 2024 13:14:52 +0100 Subject: [PATCH] docs:alpine-server-setup/installation.md: implement legacy, booster to mkinitfs and implement zlevis. --- docs/alpine-server-setup/installation.md | 85 ++++++++++-------------- 1 file changed, 34 insertions(+), 51 deletions(-) diff --git a/docs/alpine-server-setup/installation.md b/docs/alpine-server-setup/installation.md index e3f0d2e..cf7666c 100644 --- a/docs/alpine-server-setup/installation.md +++ b/docs/alpine-server-setup/installation.md @@ -2,38 +2,36 @@ To install the Alpine Linux distribution on the system, the datasets of the system pool and the EFI partitions have to be mounted to the main system. -First import and decrypt the system pool. +First import and decrypt the system pool: ``` # zpool import -N -R /mnt tank # zfs load-key -L file:///tmp/tank.key tank ``` -Mount the datasets in the system pool and decrypt the home dataset. +Mount the datasets in the system pool and decrypt the home dataset: ``` -# zfs mount tank/root/alpine +# mount tank/root/alpine /mnt -t zfs -o noatime # zfs mount tank/home # zfs mount tank/var ``` -Mount the ESP. +Mount the ESP: ``` # mkdir /mnt/esp # mount /dev/md/esp /mnt/esp -t vfat ``` -Then install Alpine Linux. +Then install Alpine Linux: ``` # export BOOTLOADER=none # setup-disk -m sys /mnt ``` -> This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP. - -To have a functional chroot into the system, bind the system process directories. +To have a functional chroot into the system, bind the system process directories: ``` # for dir in dev proc sys run; do @@ -67,7 +65,7 @@ clock_hctosys="NO" clock_systohc="NO" ``` -Configure the ESP raid array to mount. +Configure the ESP raid array to mount: ``` # modprobe raid1 @@ -77,61 +75,50 @@ Configure the ESP raid array to mount. # rc-update add mdadm-raid boot ``` -Configure ZFS to mount. +Configure ZFS to mount: ``` rc-update add zfs-import sysinit rc-update add zfs-mount sysinit +rc-update add zfs-load-key sysinit ``` +> If a faster boot time is preferred, `zfs-import` and `zfs-load-key` can be omitted in certain cases. + Edit `/etc/fstab` for correct mounts: ``` -/dev/md/esp /esp vfat defaults,nodev,nosuid,noexec 0 2 -tmpfs /tmp tmpfs rw,size=4G,nr_inodes=5k,nodev,nosuid,noexec,mode=1777 0 0 -proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0 +/dev/md/esp /esp vfat defaults,nodev,nosuid,noexec 0 2 +tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0 +proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0 ``` -By default, Alpine Linux uses `mkinitfs` to create an initial ram filesystem, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`. +Install the following packages to make `mkinitfs` compatible with secureboot and TPM decryption: ``` -# apk add booster secureboot-hook sbctl -# apk del mkinitfs grub-efi +# apk add secureboot-hook sbctl tpm2-tools zlevis ``` -To configure booster edit `/etc/booster.yaml`: +Configure `/etc/mkinitfs/mkinitfs.conf` to disable trigger and to add the `zlevis-hook`: ``` -enable_zfs: true -busybox: false -modules: vfat,nls_cp437,nls_iso8859_1 +features="... zlevis" +disable_trigger="yes" ``` -The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line: +The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure `/etc/kernel-hooks.d/secureboot.conf` to set kernel cmdline options and secureboot: ``` -/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR" -``` +cmdline="rw root=ZFS=tank/root/alpine rootflags=noatime quiet splash" -to: - -``` -/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR" -``` - -and configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. - -``` -cmdline="rw zfs=tank/root/alpine quiet splash" - -signing_cert="/usr/share/secureboot/keys/db/db.pem" -signing_key="/usr/share/secureboot/keys/db/db.key" +signing_cert="/var/lib/sbctl/keys/db/db.pem" +signing_key="/var/lib/sbctl/keys/db/db.key" output_dir="/esp/efi/linux" output_name="alpine-linux-{flavor}.efi" ``` -Use `sbctl` to create secureboot keys and sign them. +Use `sbctl` to create secureboot keys and sign them: ``` # sbctl create-keys @@ -140,7 +127,7 @@ Use `sbctl` to create secureboot keys and sign them. > Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys. -Set the cache-file of the ZFS pool. +Set the cache-file of the ZFS pool: ``` # zpool set cachefile=/etc/zfs/zpool.cache tank @@ -152,9 +139,15 @@ Now to see if everything went successfully, run: # apk fix kernel-hooks ``` +Now to see if everything went successfully, run: + +``` +# apk fix kernel-hooks +``` + and it should give no warnings if done properly. -As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloader. +To install `gummiboot` as friendly bootloader: ``` # apk add gummiboot @@ -163,7 +156,7 @@ As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloade # cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi ``` -Sign the bootloader with `sbctl`. +Sign the bootloader with `sbctl`: ``` # sbctl sign -s /esp/efi/boot/bootx64.efi @@ -171,15 +164,7 @@ Sign the bootloader with `sbctl`. > One may verify the signed files by running `sbctl verify`, in this case `ESP_PATH=/esp` should be defined to work properly. -Remove some remnants of `grub`. - -``` -# rm -rf /boot/grub -# rm -rf /etc/default -# cd /boot && unlink boot && cd .. -``` - -`gummiboot` can be configured with the file `/esp/loader/loader.conf` with which the timeout and the default OS can be specified. +`gummiboot` can be configured with the file `/esp/loader/loader.conf` with which the timeout and the default OS can be specified: ``` default alpine-linux-lts.efi @@ -187,8 +172,6 @@ timeout 2 editor no ``` -> Here, there should be lines explaining the setup of automatic decryption with TPM using Clevis. Which is still in development... - Now exit the chroot and you should be able to reboot into a working Alpine system. ```