5 KiB
Installation
To install the Alpine Linux distribution on the system, the root subvolume and the efi partition have to be mounted to the main system.
# mount -o subvol=@root /dev/mapper/luks /mnt -t btrfs
# mkdir /mnt/efi -p
# mount /dev/<disk>1 /mnt/efi -t vfat
Then set up the base system using setup disk
:
# setup-disk -m sys /mnt
This will also add grub as bootloader which will be replaced but for now it will reside on the efi partition.
To make it possible to chroot into the system, mount the other directories:
# for i in dev proc sys run; do
> mount --rbind --make-rslave /$i /mnt/$i
> done
# chroot /mnt
The other setup scripts can be used to configure key aspects of the system. Besides that a few necessary services have to be activated.
# setup-hostname <hostname>
# setup-keymap us us-euro
# setup-timezone -i <area>/<subarea>
# setup-ntp openntpd
# rc-update add acpid default
# rc-update add seedrng boot
# rm -rf /var/tmp ; ln -s /tmp /var/tmp
# passwd root
The root password does not really matter because it is going to be locked after a user has been created.
Set the hwclock
to use UTC
in /etc/conf.d/hwclock
and disable writing the time to hardware. Running a NTP negates its usability.
clock="UTC"
clock_hctosys="NO"
clock_systohc="NO"
Edit /etc/fstab
for correct mounts:
/dev/disk/by-label/efi /efi vfat defaults,nodev,nosuid,noexec 0 2
/dev/disk/by-uuid/<volume-uuid> / btrfs defaults,noatime,subvol=/@root 0 1
/dev/disk/by-uuid/<volume-uuid> /home btrfs defaults,noatime,nodev,nosuid,subvol=/@home 0 2
/dev/disk/by-uuid/<volume-uuid> /var btrfs defaults,nodev,nosuid,noexec,subvol=/@var 0 2
/dev/disk/by-uuid/<volume-uuid> /nix btrfs defaults,noatime,nodev,nosuid,subvol=/@nix 0 2
tmpfs /tmp tmpfs rw,size=4G,nr_inodes=5k,noexec,nodev,nosuid,mode=1777 0 0
proc /proc proc nosuid,nodev,noexec,hidepid=2 0 0
Here <volume-uuid>
has to be replaced with the uuid of the root volume:
# blkid /dev/mapper/luks >> /etc/fstab
By default, Alpine Linux uses mkinitfs
to create an initial ram filesystem, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this mkinitfs
and grub-efi
will be replaced with booster
and secureboot-hook
.
# apk add booster secureboot-hook sbctl
# apk del mkinitfs grub-efi
To configure booster edit /etc/booster.yaml
:
busybox: false
modules: vfat,nls_cp437,nls_iso8859_1
The most important step is the creation of a UKI using secureboot-hook
which also automatically signs them. First the hook itself will have to be tweaked to use booster
instead of mkinitfs
, edit /etc/kernel-hooks.d/50-secureboot.hook
and change the line:
/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
to:
/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"
and configure /etc/kernel-hooks.d/secureboot.conf
for cmdline and secureboot.
cmdline="rw rd.luks.name="<partition-uuid>"=luks root=/dev/disk/by-uuid/<volume-uuid> rootflags=subvol=/@root quiet splash"
signing_cert="/usr/share/secureboot/keys/db/db.pem"
signing_key="/usr/share/secureboot/keys/db/db.key"
output_dir="/efi/EFI/Linux"
output_name="alpine-linux-{flavor}.efi"
Here <partition-uuid>
and <volume-uuid>
have to be replaced with the uuid of the root partition and volume respectively.
# blkid /dev/<disk>2 >> /etc/kernel-hooks.d/secureboot.conf
# blkid /dev/mapper/luks >> /etc/kernel-hooks.d/secureboot.conf
Use sbctl
to create secureboot keys and sign them.
# sbctl create-keys
# sbctl enroll-keys
...
Whilst enrolling the keys it might be necessary to add the
--microsoft
flag if you are unable to use custom keys.
Now to see if everything went succesfully run:
# apk fix kernel-hooks
and it should give no warnings if done properly.
As discussed earlier grub
will be replaced, install gummiboot
as a bootloader.
# apk add gummiboot
# gummiboot install --path=/efi
# sbctl sign -s /efi/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /efi/EFI/Boot/BOOTX64.EFI
And also remove some remnants of grub
.
# rm -rf /efi/EFI/alpine
# rm -rf /efi/grub
# rm -rf /etc/default
# cd /boot && unlink boot
gummiboot
can be configured with the file /efi/loader/loader.conf
with which the timeout and the default OS can be specified.
default alpine-linux-lts.efi
timeout 2
editor no
Now exit the chroot and you should be able to reboot into a working Alpine system.
# exit
# umount -lf /mnt
# reboot
When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot.
Do note that "Linux Boot Manager" will have to be set to load first in your bios.