How to treat secure boot when Slackware 14.1 is installed
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to treat secure boot when Slackware 14.1 is installed
I have read that the suggestion is to turn off the secure boot provision of my Toshiba satellite laptop in order to boot to Slackware.
While trying to corral Win8.1 I came across a statement by M$ Windows that it has software to permit Linux OSes to keep secure boot turned on (thus providing protection against bootkits). I am curious whether anyone has used this and what success they have had?
As Didier said, Slackware is not compatible with the Secure Boot "feature" because Pat don't have any kind of certificate from MS to sign the kernels with.
As a result, and that applies to most distros, you have to leave the Secure Boot turned off.
If you REALLY care about signed kernels and all the hacks that goes with that, you can still sign your own kernel and boot from it.
However, you have to own a motherboard that allows you to manage its UEFI PK keys.
Most OEM mobo (the ones used for prebuilt PCs) are locked-down and only allow the Secure Boot to be managed by the end user.
Most of the mobo that you can buy "off the shelves" allow you to add your own keys and thus, achieve your goal.
As a last resort, you may have a Coreboot compatible mobo in which case, you will be able to do whatever you want.
Secure Boot still makes me paranoid, to be honest. I worry that enough leverage from certain sectors, and the ability to turn it off goes away. Doesn't mean someone won't crack it or find a way around it, but it's the precedent that makes me nervous.
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
Most of that fear was due to the lack of understanding for 'UEFI' along with fear mongers spreading 'FUD'. Thankfully we have a great Slackware community too help fellow Slackers;
onebuck@ THANK U THANK U THANK U
I checked UR reference and there on the 1st page was the answer: Slackware 64 bit Version 14.1 and above can coexist with UEFI !!
That will help all but my poor old desktop 32 bit-er
As much as I dislike M$ OSes & especially Win8.1 I feel that it is wrong to hang UEFI on M$ even tho they are close witn the originator of UEFI, Intel.
There is nothing to buy as far as I have read to allow coexistence.
I haven't finished reading some docs but my current understand is UEFI uses firmware keys (manufacturer's certificates) that are checked then if that passes there are a couple of databases which store more keys that allow OPEN OSes to create for further examination.
As much as I dislike M$ OSes & especially Win8.1 I feel that it is wrong to hang UEFI on M$
Indeed Intel is the driving force behind UEFI. However, the UEFI 2.2 specification adds a protocol known as Secure boot. The "key master" for secure boot on PCs is Microsoft. Machines where secure boot cannot be disabled (e.g. many ARM devices) are therefore locked out to anyone MS decides. This is the concern people have.
As of right now, all UEFI PC hardware has the option to disable secure boot.
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
It still is.
MS can just as easily change their certificate... and you will no longer be able to install. If you write your own super dooper boot program... you can't install. I don't think you can even test it very well... without using a different boot program first.
They already prevent installation on some machines.
If your desktop uses UEFI I seriously doubt you have 32Bit hardware. It is almost certainly a 64Bit machine.
Yes. Though you could find a few 32 bit machines that use UEFI.
By the way, the UEFI specification allows to put several PE32+ images in /EFI/BOOT, that if properly named should all be detected by the EFI boot manager. On a 64 bit machine that could (depending on the firmware) allow the user to choose to perform the installation either in 64 bit or 32 bit mode provided that:
the kernel referred to in each image be of the relevant architecture and be included,
an initrd be provided for each architecture shipped,
a set of packages be provided for each architecture.
To do that for Slackware we would need to include some more stuff in the 64 bit DVD ISO image: files /EFI/BOOT/bootia32.efi and corresponding /isolinux/efib32.img (one can include several El-Torito boot images in the same ISO image), two initrds, 32 and 64 bit kernels, and refer to the relevant initrds and kernels in all config files. And of course ship the two sets of packages in /slackware/ and /slackware64/
We would also need the GRUB modules for the target i386-efi (not yet included in Slackware) to build bootia32.efi with grub-mkimage's option --format=i386-efi
All this is feasible, so theoretically one could provide a "dual architecture" Slackware installation media usable on a machine with an EFI firmware.
That would be a task to fill the long winter evenings
Last edited by Didier Spaier; 09-03-2014 at 05:06 AM.
Originally Posted by volkerdi It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
Quote:
Originally Posted by dugan
And now SystemD has taken its place.
However, when I bought my current computer, replacing Windows was an easy matter of disabling Secure Boot and Enabling Legacy Mode. In other words, I simply turned it off. Good luck turning off systemd.
Randicus ... ...@ If U bought a 64bit and installed Slackware 14.1 to it from the reference I was given it is unnecessary to turn off secure boot. Did U turn it off due to problems that the installation was having ?
Nh3xus@ Are U thinking 32 bit or 64? As I read it and I could be wrong there is NO certificate from M$ applicable(tho they probably deserve such a wrap). Like I said earlier it first checks some keys (effectively passwords) to prevent planting malware into the initial phase of booting (those are put there by the manufacturer) then another couple of data bases (db & dbx) can have further password/keys implemented. It apparently is in those that OS vendors can put password/keys to protect the rest of the booting as those databases cannot be accessed unless secure boot passwords/keys are true.
M$ does produce OSes for real time usage that requires that secure boot cannot be turned off.
I hope my understanding is correct. Here are the refs I have seen besides the one onebuch gave: http://technet.microsoft.com/en-us/l.../dn481258.aspx http://technet.microsoft.com/en-us/l.../hh824987.aspx https://www.linuxfoundation.org/site..._platforms.pdf http://www.howtogeek.com/175641/how-...h-secure-boot/
PS
The high level organization (name escapes me) wrote that they (U know who that is M$+Intel) would not lock out other vendors.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.