LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-02-2014, 05:00 PM   #1
nix84
Member
 
Registered: Apr 2014
Posts: 276

Rep: Reputation: Disabled
How to treat secure boot when Slackware 14.1 is installed


I have read that the suggestion is to turn off the secure boot provision of my Toshiba satellite laptop in order to boot to Slackware.

While trying to corral Win8.1 I came across a statement by M$ Windows that it has software to permit Linux OSes to keep secure boot turned on (thus providing protection against bootkits). I am curious whether anyone has used this and what success they have had?
 
Old 09-02-2014, 05:06 PM   #2
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,184

Rep: Reputation: Disabled
This is only possible for distributions that have bought a certificate from Microsoft, as did Fedora for instance.

As far as I know this is not the case for Slackware at time of writing so you should disable secure boot to install it alongside Windows 8.1.

Last edited by Didier Spaier; 09-02-2014 at 10:51 PM.
 
Old 09-02-2014, 05:59 PM   #3
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 211

Rep: Reputation: 57
As Didier said, Slackware is not compatible with the Secure Boot "feature" because Pat don't have any kind of certificate from MS to sign the kernels with.

As a result, and that applies to most distros, you have to leave the Secure Boot turned off.

If you REALLY care about signed kernels and all the hacks that goes with that, you can still sign your own kernel and boot from it.

However, you have to own a motherboard that allows you to manage its UEFI PK keys.

Most OEM mobo (the ones used for prebuilt PCs) are locked-down and only allow the Secure Boot to be managed by the end user.

Most of the mobo that you can buy "off the shelves" allow you to add your own keys and thus, achieve your goal.

As a last resort, you may have a Coreboot compatible mobo in which case, you will be able to do whatever you want.
 
1 members found this post helpful.
Old 09-02-2014, 06:16 PM   #4
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 2,766

Rep: Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067Reputation: 9067
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
 
Old 09-02-2014, 06:31 PM   #5
garpu
Senior Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 1,733

Rep: Reputation: 990Reputation: 990Reputation: 990Reputation: 990Reputation: 990Reputation: 990Reputation: 990Reputation: 990
Secure Boot still makes me paranoid, to be honest. I worry that enough leverage from certain sectors, and the ability to turn it off goes away. Doesn't mean someone won't crack it or find a way around it, but it's the precedent that makes me nervous.
 
Old 09-02-2014, 06:39 PM   #6
onebuck
Moderator
 
Registered: Jan 2005
Location: Central Florida 20 minutes from Disney World
Distribution: SlackwareŽ
Posts: 13,951
Blog Entries: 46

Rep: Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182
Member Response

Hi,

Quote:
Originally Posted by volkerdi View Post
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
Most of that fear was due to the lack of understanding for 'UEFI' along with fear mongers spreading 'FUD'. Thankfully we have a great Slackware community too help fellow Slackers;
Quote:
Installing Slackware on UEFI-based hardware <-'Slackware Documentation Project'
 
1 members found this post helpful.
Old 09-03-2014, 03:04 AM   #7
nix84
Member
 
Registered: Apr 2014
Posts: 276

Original Poster
Rep: Reputation: Disabled
onebuck@ THANK U THANK U THANK U
I checked UR reference and there on the 1st page was the answer: Slackware 64 bit Version 14.1 and above can coexist with UEFI !!
That will help all but my poor old desktop 32 bit-er

As much as I dislike M$ OSes & especially Win8.1 I feel that it is wrong to hang UEFI on M$ even tho they are close witn the originator of UEFI, Intel.
There is nothing to buy as far as I have read to allow coexistence.

I haven't finished reading some docs but my current understand is UEFI uses firmware keys (manufacturer's certificates) that are checked then if that passes there are a couple of databases which store more keys that allow OPEN OSes to create for further examination.

Last edited by nix84; 09-03-2014 at 03:18 AM.
 
Old 09-03-2014, 03:19 AM   #8
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557

Rep: Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763
Quote:
Originally Posted by nix84 View Post
That will help all but my poor old desktop 32 bit-er
If your desktop uses UEFI I seriously doubt you have 32Bit hardware. It is almost certainly a 64Bit machine.
 
Old 09-03-2014, 03:46 AM   #9
nix84
Member
 
Registered: Apr 2014
Posts: 276

Original Poster
Rep: Reputation: Disabled
32 bit desktop with 13.37 and new laptop is 64bit
 
Old 09-03-2014, 04:00 AM   #10
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557

Rep: Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763
Quote:
Originally Posted by nix84 View Post
As much as I dislike M$ OSes & especially Win8.1 I feel that it is wrong to hang UEFI on M$
Indeed Intel is the driving force behind UEFI. However, the UEFI 2.2 specification adds a protocol known as Secure boot. The "key master" for secure boot on PCs is Microsoft. Machines where secure boot cannot be disabled (e.g. many ARM devices) are therefore locked out to anyone MS decides. This is the concern people have.

As of right now, all UEFI PC hardware has the option to disable secure boot.

P.S. I would encourage you to read this.
 
Old 09-03-2014, 04:06 AM   #11
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Quote:
Originally Posted by volkerdi View Post
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
It still is.

MS can just as easily change their certificate... and you will no longer be able to install. If you write your own super dooper boot program... you can't install. I don't think you can even test it very well... without using a different boot program first.

They already prevent installation on some machines.

Last edited by jpollard; 09-03-2014 at 04:09 AM.
 
Old 09-03-2014, 04:46 AM   #12
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,184

Rep: Reputation: Disabled
Quote:
Originally Posted by ruario View Post
If your desktop uses UEFI I seriously doubt you have 32Bit hardware. It is almost certainly a 64Bit machine.
Yes. Though you could find a few 32 bit machines that use UEFI.

By the way, the UEFI specification allows to put several PE32+ images in /EFI/BOOT, that if properly named should all be detected by the EFI boot manager. On a 64 bit machine that could (depending on the firmware) allow the user to choose to perform the installation either in 64 bit or 32 bit mode provided that:
  • the kernel referred to in each image be of the relevant architecture and be included,
  • an initrd be provided for each architecture shipped,
  • a set of packages be provided for each architecture.
To do that for Slackware we would need to include some more stuff in the 64 bit DVD ISO image: files /EFI/BOOT/bootia32.efi and corresponding /isolinux/efib32.img (one can include several El-Torito boot images in the same ISO image), two initrds, 32 and 64 bit kernels, and refer to the relevant initrds and kernels in all config files. And of course ship the two sets of packages in /slackware/ and /slackware64/

We would also need the GRUB modules for the target i386-efi (not yet included in Slackware) to build bootia32.efi with grub-mkimage's option --format=i386-efi

All this is feasible, so theoretically one could provide a "dual architecture" Slackware installation media usable on a machine with an EFI firmware.

That would be a task to fill the long winter evenings

Last edited by Didier Spaier; 09-03-2014 at 05:06 AM.
 
2 members found this post helpful.
Old 09-03-2014, 03:09 PM   #13
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 11,336

Rep: Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380Reputation: 5380
Quote:
Originally Posted by volkerdi View Post
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
And now SystemD has taken its place.
 
Old 09-03-2014, 05:57 PM   #14
Randicus Draco Albus
Senior Member
 
Registered: May 2011
Location: Hiding somewhere on planet Earth.
Distribution: No distribution. OpenBSD operating system
Posts: 1,711
Blog Entries: 8

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
Quote:
Originally Posted by volkerdi
It's funny to think that only a couple of years ago we all thought that Secure Boot was the biggest threat to Linux.
Quote:
Originally Posted by dugan View Post
And now SystemD has taken its place.
However, when I bought my current computer, replacing Windows was an easy matter of disabling Secure Boot and Enabling Legacy Mode. In other words, I simply turned it off. Good luck turning off systemd.
 
2 members found this post helpful.
Old 09-04-2014, 12:19 AM   #15
nix84
Member
 
Registered: Apr 2014
Posts: 276

Original Poster
Rep: Reputation: Disabled
Randicus ... ...@ If U bought a 64bit and installed Slackware 14.1 to it from the reference I was given it is unnecessary to turn off secure boot. Did U turn it off due to problems that the installation was having ?

Nh3xus@ Are U thinking 32 bit or 64? As I read it and I could be wrong there is NO certificate from M$ applicable(tho they probably deserve such a wrap). Like I said earlier it first checks some keys (effectively passwords) to prevent planting malware into the initial phase of booting (those are put there by the manufacturer) then another couple of data bases (db & dbx) can have further password/keys implemented. It apparently is in those that OS vendors can put password/keys to protect the rest of the booting as those databases cannot be accessed unless secure boot passwords/keys are true.
M$ does produce OSes for real time usage that requires that secure boot cannot be turned off.
I hope my understanding is correct. Here are the refs I have seen besides the one onebuch gave:
http://technet.microsoft.com/en-us/l.../dn481258.aspx
http://technet.microsoft.com/en-us/l.../hh824987.aspx
https://www.linuxfoundation.org/site..._platforms.pdf
http://www.howtogeek.com/175641/how-...h-secure-boot/
PS
The high level organization (name escapes me) wrote that they (U know who that is M$+Intel) would not lock out other vendors.

Last edited by nix84; 09-04-2014 at 12:36 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing installed Ubuntu partition on UEFI, GPT and Secure boot enabled ultrabook kamesh419 Ubuntu 5 07-14-2013 03:20 AM
partially installed Slackware 13 but cannot boot into it, how to make boot disk as d Fred Caro Slackware 5 10-29-2009 05:53 AM
Just installed Slackware 12.1 - How do i Secure it? corporatepig Slackware 3 08-13-2008 04:22 AM
Dual boot windows/slackware, but slackware installed first? Cryptic_K Slackware 3 11-20-2006 12:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration