SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Rep:
secureboot and slackware install
hi all. Has the situation got any simpler with slackware current installing onto a pc with secure boot enabled than has been discussed in thread https://www.linuxquestions.org/quest...st-4175682037/
?
I'm not concerned with bypassing the "security benefits" of secure boot, so using some signed shim to load any unsigned kernel is fine by me. Being able to create an slackware installer dvd or usb which just works regardless of secure boot setings is the main interest/concern, and not being inhibited or having extra hoops to jump through if I want to roll my own kernels would be nice.
I doubt it is any different as to boot Linux with Secure Boot on you need to buy a certificate from microsoft. The cost isn't much so I expect it is because the Slackware developers do not trust microsoft.
Not sure what benefit you would expect from Secure Boot for a Linux install.
I doubt it is any different as to boot Linux with Secure Boot on you need to buy a certificate from microsoft. The cost isn't much so I expect it is because the Slackware developers do not trust microsoft.
Not sure what benefit you would expect from Secure Boot for a Linux install.
I do not think that's about "trusting" Microsoft or the Secure Boot benefits, but rather about intentionally crippling the Slackware operating system, with awareness that it does NOT work (even boot) on many of today computers.
So, we should accept that Slackware will NOT boot on the computers where the Secured Boot is not possible to be disabled?
Yes, this is the catch: on many laptops sold today, the Secured Boot cannot be disabled. And their number is significant.
I for one, I do not believe that the Slackware Team is not aware of them.
Last edited by LuckyCyborg; 07-08-2021 at 01:49 PM.
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Original Poster
Rep:
Rather than continuing the descussion from the previous thread, I was interested if the ability to boot for the installer (using the shim) had been added. Apart from using slackware for servers, slackbuild dev, and occasional desktop use, I use it when testing problematic pcs (usually windows ones). The ability to boot off a slackware install disk and run a badblocks check for example saves removing the hard drive/ssd to put it in a test pc.
As has been mentioned, secure boot is enabled by default on many pc's/laptops, disabling it being problematic for some, and having to check out the bios on each machine before being able to even boot off the installer is a barrier that could be avoided.
Although as chrisvv said, the method which allows you to sign and add your own kernels to uefi variable eprom space preserves the functionality/intent of secure boot, the cart-and-horses shim method is least disruptive to those more used to legacy/non uefi boot, in that you can use or make your own kernels without having to sign them and register them, and you can continue using your computer as before.
I haven't tried to create a boot usb installer yet. At the moment I've just created install dvd using the info from the README (and rolling my own xorriso on 14.2 from the current slackbuild to do so). I can confirm that the dvd created does not boot on a secureboot enabled pc/laptop, but does a usb boot stick have that secureboot shim that the dvd install iso does not?
Last edited by timsoft; 07-19-2021 at 09:11 AM.
Reason: fix typo
You place both Preloader.efi and HashTool.efi in the EFI/boot folder with your bootloader. I use grub, but it should work with eLILO as well. Rename your bootloader to loader.efi, and rename Preloader.efi to bootx64.efi. On first reboot you'll be asked to choose loader.efi and store a hash in the efivars, basically creating a MOK for your machine. If you're using grub, you'll have to build a grub image with the necessary grub modules built-in. I used the code from Alien Bob's make-grub.sh script here:
I deal with Secure Boot everyday at work, and I have yet to see a machine where it couldn't be disabled, from the lowest end laptop to the most expensive mobile workstation, or high-end desktop with dual Xeon processors. If you're willing to risk bricking your machine, there is open-source UEFI firmware - coreboot, that you can flash.
The Preloader.efi/HashTool.efi solution works, full install, live usb, unpack and repack an iso. I've done all three.
Quote:
I doubt it is any different as to boot Linux with Secure Boot on you need to buy a certificate from microsoft. The cost isn't much so I expect it is because the Slackware developers do not trust microsoft.
Not sure what benefit you would expect from Secure Boot for a Linux install.
It's not a cost issue. Microsoft, and also Intel and the rest of the UEFI cartel will not sign most open-source bootloaders and kernels/modules because the code can be modified and poses a security risk. If an attacker can compromise the UEFI firmware, persistence is practically guaranteed because pretty much all of the IDS/IPS, anti-malware, and other security systems only monitor systems at runtime. In order to get bootloaders/kernels/modules signed certain modules that allow direct access to memory,I/O ports,and MSRs have to be disabled , which defeats the purpose of Free and Open Software. You can clear all the SecureBoot keys from the firmware and install your own, if you don't ever intend to use any Microsoft software.
I do not think that's about "trusting" Microsoft or the Secure Boot benefits, but rather about intentionally crippling the Slackware operating system, with awareness that it does NOT work (even boot) on many of today computers.
So, we should accept that Slackware will NOT boot on the computers where the Secured Boot is not possible to be disabled?
Yes, this is the catch: on many laptops sold today, the Secured Boot cannot be disabled. And their number is significant.
I for one, I do not believe that the Slackware Team is not aware of them.
I think that at this point you should just shut up and stop using Slackware. Slackware is not intentionally crippled, it works fine. You are just insulting the team here.
If you bought a computer which does not allow you to disable Secure Boot, complain to the manufacturer.
Microsoft's own Secure Boot guidelines allow computer manufacturers to disable it. https://docs.microsoft.com/en-us/win...ng-secure-boot
I think that at this point you should just shut up and stop using Slackware. Slackware is not intentionally crippled, it works fine. You are just insulting the team here.
If you bought a computer which does not allow you to disable Secure Boot, complain to the manufacturer.
Microsoft's own Secure Boot guidelines allow computer manufacturers to disable it. https://docs.microsoft.com/en-us/win...ng-secure-boot
I, for one have yet to find a hurdle too high these last 18 years I've been running Slackware. I currently work for one of the largest authorized HP resellers,and my team images deploys 400-500 machines daily, and all this week I've had to disable Secure Boot due to a driver issue affecting around 150 machines that the 5.13.9 kernel fixed. I used my Slackware machine to update the kernel and initrd.img on our clonezilla images.
Thanks to the work you've done on Slackware-Live, and your scripts, they think I'm a genius. I've learned a great deal from you over
the years, AlienBob. I'm forever grateful.
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Original Poster
Rep:
thanks JuanKenobi, (and AlienBob). On my acer laptop the bios is buggy so it insists on signed loaders with secureboot turned off!, but it does let me add executables to the "allowed to boot" list in the bios, which enabled me to add rEFInd bootloader to the bios allowed list. rEFInd could then happily boot whatever it found. Unfortunately rEFInd is not in current at the moment, so it requires manually adding an extra package to the slackware install image to get it going, or remembering to install and run it after installation and before the first reboot. In my day job I build and repair pcs (and laptops), but fortunately the motherboards I use for building allow me to have secureboot turned of, so it is only customer's computers where uefi has made things more cumbersome.
What is annoying is that the bios will automatically spot windows boot manager installed on any new drive and try to boot it in preference to an existing happy slackware system. You have to manually restore the boot order in the bios each time you temporarily add a windows bootable drive to a slackware system. This never used to happen pre uefi bios.
I'll take the answer to my thread question as "no" for now, although the work-arrounds are noted, thanks to JuanKenobi and others.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.