Upgrading grub on my alpine with secureboot setup
I’ve been using my secure boot with fully encrypted filesystems on Alpine Linux for a good long while now.
Recently I wanted to upgrade from Alpine
3.18, which also
includes a minor grub upgrade.
This is how1.
Before I started, I took a few precautions2:
zfs snapshot nvmetank/ROOT/alpine@$(date +%Y%m%d%H%M%S) cd /boot/ tar zcvf _backup-$(date +%Y%m%d%H%M%S).tgz [a-zA-Z]* cd /efi/ tar zcvf _backup-$(date +%Y%m%d%H%M%S).tgz [a-zA-Z]*
Call me paranoid, but having something to go back to is nice.
Then I’ve edited the
/etc/apk/repositories and I’ve done the normal
apk update; apk upgrade song and dance.
But in order to upgrade the grub, a few more manual steps are needed.
Referencing the old install script (from the post above), it was straightforward:
# New grub binary grub-install --target=x86_64-efi --efi-directory=/efi # ... `efibootmgr` errors out crying it can't register boot entry; that's ok. # Turn off the troublesome "SecureBoot" codepath & sign the binary cd /efi/EFI/alpine sed -i 's/SecureBoot/SecureB00t/' grubx64.efi sbsign --key /boot/secureboot/sb.key --cert /boot/secureboot/sb.crt grubx64.efi mv grubx64.efi.signed grubx64.efi # Replace the existing efi binary, keeping a backup cd ../boot/ mv bootx64.efi old.efi mv ../alpine/grubx64.efi bootx64.efi # Cleanup cd rmdir /efi/EFI/alpine
Obviously all of the above is highly specific to that one install script I use to bootstrap my pets3.
To be honest, I expected a bit more fight from the upgrade… but I was pleasantly surprised it was nearly a no-op.
And so I’m leaving a note to myself, so I can copypasta next time.