Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
09-02-2014, 05:00 PM
|
#1
|
Member
Registered: Apr 2014
Posts: 276
Rep:
|
How to treat secure boot when Slackware 14.1 is installed
I have read that the suggestion is to turn off the secure boot provision of my Toshiba satellite laptop in order to boot to Slackware.
While trying to corral Win8.1 I came across a statement by M$ Windows that it has software to permit Linux OSes to keep secure boot turned on (thus providing protection against bootkits). I am curious whether anyone has used this and what success they have had?
|
|
|
09-02-2014, 05:06 PM
|
#2
|
LQ Addict
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,184
Rep:
|
This is only possible for distributions that have bought a certificate from Microsoft, as did Fedora for instance.
As far as I know this is not the case for Slackware at time of writing so you should disable secure boot to install it alongside Windows 8.1.
Last edited by Didier Spaier; 09-02-2014 at 10:51 PM.
|
|
|
09-02-2014, 05:59 PM
|
#3
|
Member
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 211
Rep:
|
As Didier said, Slackware is not compatible with the Secure Boot "feature" because Pat don't have any kind of certificate from MS to sign the kernels with.
As a result, and that applies to most distros, you have to leave the Secure Boot turned off.
If you REALLY care about signed kernels and all the hacks that goes with that, you can still sign your own kernel and boot from it.
However, you have to own a motherboard that allows you to manage its UEFI PK keys.
Most OEM mobo (the ones used for prebuilt PCs) are locked-down and only allow the Secure Boot to be managed by the end user.
Most of the mobo that you can buy "off the shelves" allow you to add your own keys and thus, achieve your goal.
As a last resort, you may have a Coreboot compatible mobo in which case, you will be able to do whatever you want.
|
|
1 members found this post helpful.
|
09-02-2014, 06:16 PM
|
#4
|
Slackware Maintainer
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 2,766
|
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
|
|
|
09-02-2014, 06:31 PM
|
#5
|
Senior Member
Registered: Oct 2009
Distribution: Slackware
Posts: 1,733
|
Secure Boot still makes me paranoid, to be honest. I worry that enough leverage from certain sectors, and the ability to turn it off goes away. Doesn't mean someone won't crack it or find a way around it, but it's the precedent that makes me nervous.
|
|
|
09-02-2014, 06:39 PM
|
#6
|
Moderator
Registered: Jan 2005
Location: Central Florida 20 minutes from Disney World
Distribution: SlackwareŽ
Posts: 13,951
|
Member Response
Hi,
Quote:
Originally Posted by volkerdi
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
|
Most of that fear was due to the lack of understanding for 'UEFI' along with fear mongers spreading 'FUD'. Thankfully we have a great Slackware community too help fellow Slackers;
|
|
1 members found this post helpful.
|
09-03-2014, 03:04 AM
|
#7
|
Member
Registered: Apr 2014
Posts: 276
Original Poster
Rep:
|
onebuck@ THANK U THANK U THANK U
I checked UR reference and there on the 1st page was the answer: Slackware 64 bit Version 14.1 and above can coexist with UEFI !!
That will help all but my poor old desktop 32 bit-er
As much as I dislike M$ OSes & especially Win8.1 I feel that it is wrong to hang UEFI on M$ even tho they are close witn the originator of UEFI, Intel.
There is nothing to buy as far as I have read to allow coexistence.
I haven't finished reading some docs but my current understand is UEFI uses firmware keys (manufacturer's certificates) that are checked then if that passes there are a couple of databases which store more keys that allow OPEN OSes to create for further examination.
Last edited by nix84; 09-03-2014 at 03:18 AM.
|
|
|
09-03-2014, 03:19 AM
|
#8
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557
|
Quote:
Originally Posted by nix84
That will help all but my poor old desktop 32 bit-er
|
If your desktop uses UEFI I seriously doubt you have 32Bit hardware. It is almost certainly a 64Bit machine.
|
|
|
09-03-2014, 03:46 AM
|
#9
|
Member
Registered: Apr 2014
Posts: 276
Original Poster
Rep:
|
32 bit desktop with 13.37 and new laptop is 64bit
|
|
|
09-03-2014, 04:00 AM
|
#10
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557
|
Quote:
Originally Posted by nix84
As much as I dislike M$ OSes & especially Win8.1 I feel that it is wrong to hang UEFI on M$
|
Indeed Intel is the driving force behind UEFI. However, the UEFI 2.2 specification adds a protocol known as Secure boot. The "key master" for secure boot on PCs is Microsoft. Machines where secure boot cannot be disabled (e.g. many ARM devices) are therefore locked out to anyone MS decides. This is the concern people have.
As of right now, all UEFI PC hardware has the option to disable secure boot.
P.S. I would encourage you to read this.
|
|
|
09-03-2014, 04:06 AM
|
#11
|
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912
|
Quote:
Originally Posted by volkerdi
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
|
It still is.
MS can just as easily change their certificate... and you will no longer be able to install. If you write your own super dooper boot program... you can't install. I don't think you can even test it very well... without using a different boot program first.
They already prevent installation on some machines.
Last edited by jpollard; 09-03-2014 at 04:09 AM.
|
|
|
09-03-2014, 04:46 AM
|
#12
|
LQ Addict
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,184
Rep:
|
Quote:
Originally Posted by ruario
If your desktop uses UEFI I seriously doubt you have 32Bit hardware. It is almost certainly a 64Bit machine.
|
Yes. Though you could find a few 32 bit machines that use UEFI.
By the way, the UEFI specification allows to put several PE32+ images in /EFI/BOOT, that if properly named should all be detected by the EFI boot manager. On a 64 bit machine that could (depending on the firmware) allow the user to choose to perform the installation either in 64 bit or 32 bit mode provided that:
- the kernel referred to in each image be of the relevant architecture and be included,
- an initrd be provided for each architecture shipped,
- a set of packages be provided for each architecture.
To do that for Slackware we would need to include some more stuff in the 64 bit DVD ISO image: files /EFI/BOOT/bootia32.efi and corresponding /isolinux/efib32.img (one can include several El-Torito boot images in the same ISO image), two initrds, 32 and 64 bit kernels, and refer to the relevant initrds and kernels in all config files. And of course ship the two sets of packages in /slackware/ and /slackware64/
We would also need the GRUB modules for the target i386-efi (not yet included in Slackware) to build bootia32.efi with grub-mkimage's option --format=i386-efi
All this is feasible, so theoretically one could provide a "dual architecture" Slackware installation media usable on a machine with an EFI firmware.
That would be a task to fill the long winter evenings
Last edited by Didier Spaier; 09-03-2014 at 05:06 AM.
|
|
2 members found this post helpful.
|
09-03-2014, 03:09 PM
|
#13
|
LQ Guru
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 11,336
|
Quote:
Originally Posted by volkerdi
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
|
And now SystemD has taken its place.
|
|
|
09-03-2014, 05:57 PM
|
#14
|
Senior Member
Registered: May 2011
Location: Hiding somewhere on planet Earth.
Distribution: No distribution. OpenBSD operating system
Posts: 1,711
|
Quote:
Originally Posted by volkerdi
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
|
Quote:
Originally Posted by dugan
And now SystemD has taken its place.
|
However, when I bought my current computer, replacing Windows was an easy matter of disabling Secure Boot and Enabling Legacy Mode. In other words, I simply turned it off. Good luck turning off systemd.
|
|
2 members found this post helpful.
|
09-04-2014, 12:19 AM
|
#15
|
Member
Registered: Apr 2014
Posts: 276
Original Poster
Rep:
|
Randicus ... ...@ If U bought a 64bit and installed Slackware 14.1 to it from the reference I was given it is unnecessary to turn off secure boot. Did U turn it off due to problems that the installation was having ?
Nh3xus@ Are U thinking 32 bit or 64? As I read it and I could be wrong there is NO certificate from M$ applicable(tho they probably deserve such a wrap). Like I said earlier it first checks some keys (effectively passwords) to prevent planting malware into the initial phase of booting (those are put there by the manufacturer) then another couple of data bases (db & dbx) can have further password/keys implemented. It apparently is in those that OS vendors can put password/keys to protect the rest of the booting as those databases cannot be accessed unless secure boot passwords/keys are true.
M$ does produce OSes for real time usage that requires that secure boot cannot be turned off.
I hope my understanding is correct. Here are the refs I have seen besides the one onebuch gave:
http://technet.microsoft.com/en-us/l.../dn481258.aspx
http://technet.microsoft.com/en-us/l.../hh824987.aspx
https://www.linuxfoundation.org/site..._platforms.pdf
http://www.howtogeek.com/175641/how-...h-secure-boot/
PS
The high level organization (name escapes me) wrote that they (U know who that is M$+Intel) would not lock out other vendors.
Last edited by nix84; 09-04-2014 at 12:36 AM.
|
|
|
All times are GMT -5. The time now is 06:11 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|