Upgrading grub on my alpine with secureboot setup
Problem statement
I’ve been using my secure boot with fully encrypted filesystems on Alpine Linux for a good long while now.
Recently I wanted to upgrade from Alpine 3.15 to 3.18, which also
includes a minor grub upgrade.
This is how1.
Solution
Before I started, I took a few precautions2:
zfs snapshot nvmetank/ROOT/alpine@$(date +%Y%m%d%H%M%S)
cd /boot/
tar zcvf _backup-$(date +%Y%m%d%H%M%S).tgz [a-zA-Z]*
cd /efi/
tar zcvf _backup-$(date +%Y%m%d%H%M%S).tgz [a-zA-Z]*
Call me paranoid, but having something to go back to is nice.
Then I’ve edited the /etc/apk/repositories and I’ve done the normal
apk update; apk upgrade song and dance.
But in order to upgrade the grub, a few more manual steps are needed.
Referencing the old install script (from the post above), it was straightforward:
# New grub binary
grub-install --target=x86_64-efi --efi-directory=/efi
# ... `efibootmgr` errors out crying it can't register boot entry; that's ok.
# Turn off the troublesome "SecureBoot" codepath & sign the binary
cd /efi/EFI/alpine
sed -i 's/SecureBoot/SecureB00t/' grubx64.efi
sbsign --key /boot/secureboot/sb.key --cert /boot/secureboot/sb.crt grubx64.efi
mv grubx64.efi.signed grubx64.efi
# Replace the existing efi binary, keeping a backup
cd ../boot/
mv bootx64.efi old.efi
mv ../alpine/grubx64.efi bootx64.efi
# Cleanup
cd
rmdir /efi/EFI/alpine
# Note (2024-08-17): Grub 2.12 messed up my secureboot setup,
# and an additional fix was needed:
# https://wejn.org/2024/08/grub-2.12-broke-my-secureboot-again/
Obviously all of the above is highly specific to that one install script I use to bootstrap my pets3.
Closing words
To be honest, I expected a bit more fight from the upgrade… but I was pleasantly surprised it was nearly a no-op.
And so I’m leaving a note to myself, so I can copypasta next time.