From b8775e8116931be575d10434a20e687d93bd518b Mon Sep 17 00:00:00 2001 From: Luc Date: Sat, 2 Aug 2025 17:26:36 +0200 Subject: [PATCH] docs/server-os/posts/01-alpine-install.md: update --- docs/server-os/posts/01-alpine-install.md | 44 +++++++++++------------ 1 file changed, 20 insertions(+), 24 deletions(-) diff --git a/docs/server-os/posts/01-alpine-install.md b/docs/server-os/posts/01-alpine-install.md index 52aef77..8f3d0a9 100644 --- a/docs/server-os/posts/01-alpine-install.md +++ b/docs/server-os/posts/01-alpine-install.md @@ -12,7 +12,7 @@ categories: - Base installation --- -This blog entry will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) for a server application. Alpine Linux will run on a raid configured encrypted ZFS filesystem with automatic decryption using TPM. Alpine Linux makes a good base for a server because of its simplicity, lightweightness and security. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information. +This blog entry will demonstrate how to install `x86_64` [Alpine Linux](https://www.alpinelinux.org/) for a server application. Alpine Linux will run on a raid configured encrypted ZFS filesystem with automatic decryption using TPM. Alpine Linux makes a good base for a server because of its simplicity, lightweightness and security. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information. @@ -25,20 +25,18 @@ After booting the Alpine Linux extended ISO, partition the disks. For this actio To set it up the `setup-interfaces` and `setup-apkrepos` scripts present on the Alpine Linux ISO will be used. ``` shell-session -sh# setup-interfaces -ar +sh# setup-interfaces -ar #(1)! sh# setup-apkrepos -c1 ``` -> To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar. +1. To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar. A few packages will have to be installed first. ``` shell-session -sh# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm zlevis +sh# apk add zfs lsblk sgdisk wipefs dosfstools mdadm zlevis ``` -> The `zlevis` package is as of this moment not yet in the alpine package repository. Try to get it into the `bin` via a different method and add its dependencies `tpm2-tools` and `jose`. - and load the ZFS kernel module: ``` shell-session @@ -156,12 +154,10 @@ sh# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o Write the encryption key to TPM with `zlevis`: ``` shell-session -sh# zlevis encrypt rpool '{}' < /tmp/rpool.key +sh# zlevis encrypt rpool '{"pcr_ids":"0,1,7"}' < /tmp/rpool.key #(1)! ``` -> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly. - - +1. See [zlevis functionality](https://docs.ampel.dev/zlevis/functionality/) to see the functionality of each `pcr_id`, and the other options that can be set. > To check if it worked, perform `zlevis decrypt rpool`. @@ -245,8 +241,8 @@ sh# rc-update add mdadm-raid boot Configure ZFS to mount: ``` shell-session -sh# rc-update add zfs-import sysinit sh# rc-update add zfs-mount sysinit +sh# rc-update add zfs-import sysinit sh# rc-update add zfs-load-key sysinit ``` @@ -264,20 +260,20 @@ proc /proc proc nodev,nosuid,noexec,hidepid=2 Install the following packages to make `mkinitfs` compatible with secureboot and TPM decryption: -``` shell-sessions -sh# apk add secureboot-hook sbctl tpm2-tools zlevis +``` shell-session +sh# apk add secureboot-hook sbctl zlevis zlevis-mkinitfs #(1)! ``` -Configure `mkinitfs` to disable trigger and to add the `zlevis-hook`: +1. The `mkinitfs-zlevis` package is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation](https://docs.ampel.dev/zlevis/implementation/#mkinitfs). + +Configure `mkinitfs` to disable the trigger and to add the `zlevis` module: ``` shell title="/etc/mkinitfs/mkinitfs.conf" features="... zlevis" disable_trigger="yes" ``` -> The `mkinitfs` package that supports `zlevis` is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation](https://docs.ampel.dev/zlevis). - -The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure the `kernel-hooks` to set the kernel cmdline options and secureboot: +The most important step is the creation of a UKI using the `secureboot-hook` of `mkinitfs`, which also automatically signs them. Configure the `kernel-hooks` to set the kernel cmdline options and secureboot: ``` shell title="/etc/kernel-hooks.d/secureboot.conf" cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash" @@ -285,7 +281,7 @@ cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash" signing_cert="/var/lib/sbctl/keys/db/db.pem" signing_key="/var/lib/sbctl/keys/db/db.key" -output_dir="/efi/efi/linux" +output_dir="/efi/EFI/Linux" output_name="alpine-linux-{flavor}.efi" ``` @@ -293,10 +289,10 @@ Use `sbctl` to create secureboot keys and sign them: ``` shell-session sh# sbctl create-keys -sh# sbctl enroll-keys +sh# sbctl enroll-keys #(1)! ``` -> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys. +1. Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys. Set the cache-file of the ZFS pool: @@ -312,16 +308,16 @@ sh# apk fix kernel-hooks and it should give no warnings if done properly. -To install `gummiboot` as friendly bootloader: +To install `systemd-boot` as friendly bootloader: ``` shell-session -sh# apk add gummiboot -sh# gummiboot install +sh# apk add systemd-boot +sh# bootctl install ``` > One may verify the signed files by running `sbctl verify`. -Configure `gummiboot` to specify the timeout and the default OS : +Configure `systemd-boot` to specify the timeout and the default OS : ``` shell title="/efi/loader/loader.conf" default alpine-linux-lts.efi