Upgrading grub on my alpine with secureboot setup

Problem statement

I’ve been using my secure boot with fully encrypted filesystems on Alpine Linux for a good long while now.

Recently I wanted to upgrade from Alpine 3.15 to 3.18, which also includes a minor grub upgrade.

This is how1.


Before I started, I took a few precautions2:

zfs snapshot nvmetank/ROOT/alpine@$(date +%Y%m%d%H%M%S)
cd /boot/
tar zcvf _backup-$(date +%Y%m%d%H%M%S).tgz [a-zA-Z]*
cd /efi/
tar zcvf _backup-$(date +%Y%m%d%H%M%S).tgz [a-zA-Z]*

Call me paranoid, but having something to go back to is nice.

Then I’ve edited the /etc/apk/repositories and I’ve done the normal apk update; apk upgrade song and dance.

But in order to upgrade the grub, a few more manual steps are needed.

Referencing the old install script (from the post above), it was straightforward:

# New grub binary
grub-install --target=x86_64-efi --efi-directory=/efi
# ... `efibootmgr` errors out crying it can't register boot entry; that's ok.

# Turn off the troublesome "SecureBoot" codepath & sign the binary
cd /efi/EFI/alpine
sed -i 's/SecureBoot/SecureB00t/' grubx64.efi
sbsign --key /boot/secureboot/sb.key --cert /boot/secureboot/sb.crt grubx64.efi
mv grubx64.efi.signed grubx64.efi

# Replace the existing efi binary, keeping a backup
cd ../boot/
mv bootx64.efi old.efi
mv ../alpine/grubx64.efi bootx64.efi

# Cleanup
rmdir /efi/EFI/alpine

Obviously all of the above is highly specific to that one install script I use to bootstrap my pets3.

Closing words

To be honest, I expected a bit more fight from the upgrade… but I was pleasantly surprised it was nearly a no-op.

And so I’m leaving a note to myself, so I can copypasta next time.

  1. Spoiler alert: it’s hardly groundbreaking.

  2. Always be having a rollback point, even if somewhat painful to use.

  3. In the “cattle, not pets” sense. Servers. Simply Linux servers. Except for raspberries, those are special snowflakes.