User Tools

Site Tools


OpenWrt on UEFI based x86 systems


UEFI based systems are becoming more common and it's expected at some time that newer UEFI based system doesn't contain CSM to support legacy bios mode at all.

To accommodate this, it's necessary for OpenWrt build system to generate UEFI bootable images.


There are pending commits related to add UEFI bootable OpenWrt under Jow staging repository.

Beware that the generated uefi gpt image causes kernel panic when booted on bios based system. A fix for this issue is in progress 1) 2)

Building UEFI bootable OpenWrt image

The commits necessary to build uefi bootable OpenWrt image are as follows.

a63d85882e825159268191cf1fe066c1fba0e9b1 tools: add libopt host build
76cccd168c5c5bed2e7a641b1ca86e7b28895984 tools: add sgdisk host build
39979789c0549f9f774c323e54ed82248976a31c Generate EFI grub images for x86 platforms

To build the image, cherry pick those commits, i.e.

$ git remote add jow-staging
$ git fetch jow-staging
$ git checkout -b uefi-capable --track origin/master # so that you can rebase easily
$ for commit in \
  a63d85882e825159268191cf1fe066c1fba0e9b1 \
  76cccd168c5c5bed2e7a641b1ca86e7b28895984 \
  39979789c0549f9f774c323e54ed82248976a31c \
  ; do \
      git cherry-pick $commmit ; done

Optionally, integrate pending changes (see footnote) to make resulting gpt images bootable on bios based systems.

$ curl -L -o patch-0001.patch ""
$ curl -L -o patch-0002.patch ""
$ git am ./patch-0001.patch ./patch-0002.patch

After cherry-picking those commits and integrating pending patches, run make menuconfig.

Go to Target Images and make sure that Build EFI grub images option is checked.

Select additional packages as necessary and finally save changes and exit menuconfig.

Run make as usual to build the image.

The resulting image will be available as bin/targets/x86/64/openwrt-x86-64-uefi-gpt-ext4.img.gz, which can be written to disk after decompression.

UEFI Secure Boot

To generate signed image for use with secure boot, there is a development repository with corresponding packages feed under feature-uefi-secure-boot branch.

The repository contains changes based on Jow-staging branch to generate secure boot capable image

The related packages feed repository contains stuffs needed to sign efi binaries, i.e. gnu-efi and sbsigntool and stuffs to manipulate efi variables, i.e. efivar, efibootmgr, and efitools.

# Add the development git repository
$ git remote add devrepo
$ git fetch devrepo
$ git checkout feature-uefi-secure-boot
# Configure the corresponding package repository
$ echo 'src-git packages;feature-uefi-secure-boot' > ./feeds.conf
$ ./scripts/feeds clean
$ ./scripts/feeds update packages
$ ./scripts/feeds update -i
$ ./scripts/feeds install -a
# Now, configure the build system
# Select x86 as Target, x86_64 as Subtarget
# make sure to select 'Sign EFI executable binaries' under 'Target Images'
# UEFI related tools are available under Utilities section,
# which consist of efitools, efibootmgr, efivar, and sbsigntool
$ make menuconfig
# The certificate and key need to be generated
# to perform uefi binary signing
$ OLD_UMASK=$(umask)
$ umask 077
$ openssl req -new -x509 -sha256 \
  -days 90 -out ./db.crt \
  -subj '/CN=secure boot signing certificate' \
  -newkey rsa:2048 -nodes \
  -keyout ./db.key
$ umask $OLD_UMASK
# run make to generate UEFI secure bootable OpenWrt image
$ make

Remember to import db.crt (which may needs to be converted into DER or other format) into db UEFI variable to securely boot the resulting image.

docs/guide-developer/uefi-bootable-image.txt · Last modified: 2018/07/16 08:21 by oniranger