LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Start Slackware installer without disabling UEFI Secure Boot first? (https://www.linuxquestions.org/questions/slackware-14/start-slackware-installer-without-disabling-uefi-secure-boot-first-4175682037/)

average_user 09-13-2020 03:09 AM

Start Slackware installer without disabling UEFI Secure Boot first?
 
I might need to install Slackware on new hardware soon and I wonder if it's possible to start installer and install Slackware without disabling UEFI Secure Boot first. I have ASUS Z97-A and I have to disable Secure Boot before running Slackware installer or I get error message as shown here https://i.imgur.com/h4wOX5d.jpg (Secure Boot is enabled by default so I have to disable it explicitly). On the other hand I tried to run Ubuntu 20.04.1 LTS ISO with Secure Boot enabled and to my surprise it just worked. I don't know how it works but there are some details here https://wiki.ubuntu.com/UEFI/SecureBoot. Would it be possible to make Slackware work with Secure Boot enabled?

LuckyCyborg 09-13-2020 03:40 AM

Quote:

Originally Posted by average_user (Post 6165310)
I might need to install Slackware on new hardware soon and I wonder if it's possible to start installer and install Slackware without disabling UEFI Secure Boot first. I have ASUS Z97-A and I have to disable Secure Boot before running Slackware installer or I get error message as shown here https://i.imgur.com/h4wOX5d.jpg (Secure Boot is enabled by default so I have to disable it explicitly). On the other hand I tried to run Ubuntu 20.04.1 LTS ISO with Secure Boot enabled and to my surprise it just worked. I don't know how it works but there are some details here https://wiki.ubuntu.com/UEFI/SecureBoot. Would it be possible to make Slackware work with Secure Boot enabled?

I doubt that Slackware Installer will ever start over UEFI Secure Boot, because from what I understand, the Slackware kernels and bootloaders aren't signed with Microsoft Secure Boot certificates.

However, the RHEL, SuSE or Ubuntu kernels and bootloaders are signed, then they will work in this environment.

So, in the Slackware case, I believe you must disable this feature - or IF you can't, you should throw the towel.

average_user 09-13-2020 04:26 AM

Quote:

Originally Posted by LuckyCyborg (Post 6165317)
However, the RHEL, SuSE or Ubuntu kernels and bootloaders are signed, then they will work in this environment.

Yes, that's the reason but if they can do that couldn't Slackware do that as well?

So far I have always been able to disable Secure Boot but if I could run Slackware with Secure Boot enabled it would be slightly easier to install it because sometimes finding an option to disable Secure Boot in UEFI interface can take more than a while. I heard that motherboards manufacturers have to provide option to disable Secure Boot but what if this requirement changes or company policy prevents me from disabling it?

LuckyCyborg 09-13-2020 04:45 AM

Quote:

Originally Posted by average_user (Post 6165328)
Yes, that's the reason but if they can do that couldn't Slackware do that as well?

So far I have always been able to disable Secure Boot but if I could run Slackware with Secure Boot enabled it would be slightly easier to install it because sometimes finding an option to disable Secure Boot in UEFI interface can take more than a while. I heard that motherboards manufacturers have to provide option to disable Secure Boot but what if this requirement changes or company policy prevents me from disabling it?

Yes, probably Slackware can sign its kernels and bootloaders too...

The catch is: IF someone convinces Mr. Volkerding to buy a Microsoft certificate for Slackware - BTW, from what I heard that this certificate costs like a really good sports car, i.e. Ferrari 488 Pista, then do the math about probability of seeing (or not) middle fingers if you ask for this.

However, you are aware that even the Slackware signs its things and ran fine over Secure Boot, you still will never be able to run your custom and unsigned kernels in the same way?

To run your own built kernel, you will need anyway to disable Secure Boot.

teoberi 09-13-2020 06:21 AM

Quote:

Originally Posted by LuckyCyborg (Post 6165333)
Yes, probably Slackware can sign its kernels and bootloaders too...

The catch is: IF someone convinces Mr. Volkerding to buy a Microsoft certificate for Slackware - BTW, from what I heard that this certificate costs like a really good sports car, i.e. Ferrari 488 Pista, then do the math about probability of seeing (or not) middle fingers if you ask for this.

However, you are aware that even the Slackware signs its things and ran fine over Secure Boot, you still will never be able to run your custom and unsigned kernels in the same way?

To run your own built kernel, you will need anyway to disable Secure Boot.

Or go to hell Microsoft Secure Boot with all their certificates!

chrisVV 09-13-2020 06:50 AM

Yes, you can install, and run, slackware64-current on a computer with secure boot enabled (I do it). You will need an existing machine running linux to prepare your boot sticks.

The easiest way, which is not in my view the best way, is to use the Linux Foundation's PreLoader.efi and HashTool.efi, and enrolling elilo.efi in your MOK using HashTool, which will be brought up the first time you boot. You can do this this way:

1. First you need a (non-secure boot) slackware boot stick with an actual real EFI partition, formatted for a VFAT file system with partition type "EFI System partition." (code EF00). One way of doing that is to delete every existing file and partition on the stick, and make an EFI partition on it. You can have, say, a second ext4 partition with the latest slackware current distribution on it, if your stick is big enough (a 10GB stick should do), or you can even have the whole stick as an EFI partition and put the slackware distribution on it.

2. Mount usbboot.img with 'mount -o loop [/path/to]/slackware64-current/usb-and-pxe-installers/usbboot.img /mnt/loop'

3. Copy the whole of its contents, including directory structure, to the EFI partition on the stick you have just made.

4. Go to the EFI/BOOT directory you will now have on the stick, move bootx64.efi to loader.efi (it is actually a copy of elilo.efi) and copy PreLoader.efi to the stick as bootx64.efi in its place. Copy HashTool.efi to EFI/BOOT as HashTool.efi.

Now you should be able to boot that stick in secure boot mode. The first time you boot the stick, PreLoader.efi will invite you to hash a file, and you should hash your loader.efi (the renamed original bootx64.efi which is a copy of elilo.efi). This works because PreLoader.efi has been signed by Microsoft's key for third party uefi applications, the public certificate for which will be in the computer's efi db, and Preloader.efi will in turn verify via the hash obtained from HashTool.efi what it is handing off to, namely elilo. Once you have installed slackware on your hard disk, via PreLoader.efi you should be able to boot off the same loader.efi (renamed as elilo.efi) whose hash you have entered above, in order to boot up your computer off the hard disk. You might as well keep a copy of HashTool.efi in your computer's EFI partition also in case you need it to enter a new hash for a new elilo.efi, and put an EFI boot manager entry for PreLoader.efi using efibootmgr to enable booting directly to it from the EFI boot manager to then hand over to elilo.efi.

But this is definitely not the best way to do it, although it is the easiest. It is not the best because it drives a coach and horses through the purpose of secure boot - elilo will be able to boot any kernel, secure or not. Better is to use fedora's shim with grub, whereby you can sign individual kernel images which you want to be able to boot. To do that on a new secure-boot-only system you need start with two boot sticks, the first to enroll your signing key in MokManager, and the second to boot up and install slackware after you have entered the key. To do this:

1. Obtain shim from Fedora's website (I use shim-x64-15-8.x86_64.rpm), explode the rpm and obtain the efi binaries shimx64.efi and mmx64.efi. shimx64.efi has been pre-signed by Microsoft's and fedora's keys but will only hand over to a kernel image which has been signed with a key entered in MokManager. mmx64.efi is the MokManager efi and is used to enter your key for that purpose.

2. Prepare a stick (Stick 1) with nothing on it except an empty EFI partition with the /EFI/BOOT directory on it. Copy shimx64.efi to it as bootx64.efi, and mmx64.efi as grubx64.efi.

3. Prepare a second stick (Stick 2) like the usbboot.img stick mentioned above, but without PreLoader.efi or HashTool.efi, and with shimx64.efi copied to /EFI/BOOT as bootx64.efi, and with the EFI partition as the first partition.

3. Generate a MOK signing key with:
Code:

openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout MOK.key -out MOK.crt \
        -nodes -days 3650 -subj "/CN=Your Name/"
openssl x509 -in MOK.crt -out MOK.cer -outform DER

This will provide the MOK certificate in both PEM (MOK.crt) and DER (MOK.cer) forms. The private part is MOK.key. Copy MOK.crt and MOK.cer to /BOOT/EFI on Stick 1 (MokManager requires the DER form but you might as well include the PEM one as well).

4. Prepare a grub image as follows:

Code:

grub-mkimage --format=x86_64-efi --output=grubx64.efi.unsigned --compression=xz \
    --prefix="" part_gpt part_msdos fat ext2 hfs hfsplus iso9660 udf ufs1 ufs2 zfs \
    chain linux boot appleldr configfile normal regexp minicmd reboot halt search \
    search_fs_file search_fs_uuid search_label gfxterm gfxmenu efi_gop efi_uga \
    all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help \
    ls png jpeg tga test at_keyboard usb_keyboard shim_lock

Sign the generated grub64.efi.unsigned grub image with your signing certificate using sbsign-tools (which you will have to install yourself). Copy the signed version as /EFI/BOOT/grubx64.efi on Stick 2.

5. Move huge.s on Stick 2 to huge.s.unsigned and sign it also with your signing certificate as huge.s.

6. Put a grub.cfg file in /EFI/BOOT on Stick 2 with something like this in it:

Code:

set default="0"
set timeout="30"
set hidden_timeout_quiet=false

menuentry "Install/rescue, no KMS" {
  echo "Loading huge.s kernel and installer initrd.  Please wait..."
  linux /huge.s vga=normal load_ramdisk=1 prompt_ramdisk=0 ro printk.time=0 nomodeset SLACK_KERNEL=huge.s
  initrd /initrd.img
}
menuentry "Install/rescue, KMS" {
  echo "Loading huge.s kernel and installer initrd.  Please wait..."
  linux /huge.s vga=normal load_ramdisk=1 prompt_ramdisk=0 ro printk.time=0 SLACK_KERNEL=huge.s
  initrd /initrd.img
}
menuentry "Boot Slackware" {
  echo "Booting Slackware ..."
  linux /huge.s vga=normal root=/dev/[sdaX] rootfstype=ext4 ro
}

I say "something like" because my directory structure is slightly different and this one follows the structure of usbboot.img referred to above. [sdaX] should be the intended root slackware partition on your computer's hard disk after installation. Grub should be able find the root directory for the huge.s kernel image and initrd.img image by itself if the EFI partition is the first partition and those images are in that partition.

7. Then boot with Stick 1 and enter your public signing key MOK.cer in MokManager.

8. Then boot with Stick 2 and install slackware.

9. Once you have installed slackware, you can boot it up with Stick 2 using the "Boot Slackware" entry mentioned, but you will also want to make a directory "grub" in /boot/efi/EFI, copy to it your signed grub image referred to above as grubx64.efi, copy shimx64.efi to it, sign also your current /boot/vmlinuz kernel image on your computer, have a grub.cfg file in /boot/efi/EFI/grub/ with an appropriate stanza to boot up your signed /boot/vmlinuz, and provide a EFI boot manager entry for shimx64.efi using efibootmgr (and make it the default boot menu item) so you don't have to go to the EFI boot manager every time you boot.

Every time you install a new slackware kernel you will have to resign /boot/vmlinuz with your key. I think that is about it. If anything else comes to mind I will do an edit. All this assumes that your new computer comes with Microsoft's public key for third party uefi applications already installed. I think that at present all consumer computers do, but if it doesn't you are stuffed. Caveat emptor.

Edit: If all you want to do is to run a slackware computer in secure boot mode that has already had slackware installed on it while secure boot was off, that is obviously a lot easier. You could just go to /boot/efi/EFI/Slackware, move elilo.efi to loader.efi, install PreLoader.efi as elilo.efi and install HashTool.efi and reboot with secure boot enabled, and then enroll elilo.efi (as renamed as loader.efi). Or you could make a /boot/efi/EFI/grub partition, prepare it with the shim, grub and mmx images as mentioned above and an accompanying grub.cfg file, and sign /boot/vmlinuz. You could then add two new entries to your EFI boot menu using efibootmgr, one to boot shimx64.efi which then boots straight into mmx64.efi (by renaming mmx64.efi as grubx64.efi) so you can enter your signing key without the need for a boot stick, and another (the default boot) to boot into shimx64.efi which will then hand off to the real grubx64.efi, thence to the signed kernel image.

enorbet 09-13-2020 01:20 PM

IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

MS reminds me of this guy --- Only ONE ---

teoberi 09-13-2020 02:32 PM

Quote:

Originally Posted by enorbet (Post 6165435)
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

MS reminds me of this guy --- Only ONE ---

Totally agree with you sir.
P.S. I have been working in education for 20 years and I know what I'm talking about!

ZhaoLin1457 09-13-2020 02:46 PM

Quote:

Originally Posted by enorbet (Post 6165435)
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

MS reminds me of this guy --- Only ONE ---

I bought a laptop several months ago, which have no way to disable Secure Boot.

Permit me to doubt that the radical opinions about Secure Boot will help to grown up the Slackware user base...

quickbreakfast 09-13-2020 05:46 PM

Quote:

Originally Posted by average_user (Post 6165310)
Would it be possible to make Slackware work with Secure Boot enabled?

Yes. It is possible to install and run Slackware with secure boot enabled because I recently installed 14.2 with secure boot enabled.

It wasn't untill a bit later that I began to wonder whether I had disabled secure boot when I replaced the motherboard so went looking that I found secure boot was enabled.

Secure boot is now disabled, but several things are disabled by the BIOS.

My machine requires a EFI partition, so your machine probably will too.

From memory, the EFI partition is 240M and set using cfdisk as part of the install and is listed in my fstab.

Warning. When partitioning the drive the system (I used cfdisk) kept wanting to list my root partition as a Microsoft partition and assign the EFI partition with the boot flag. Thus make sure the root partition is linux.

When the install finishes use gparted to check and possibly move the boot flag from the EFI partition to the root partition.

average_user 09-13-2020 06:18 PM

@chrisVV, thank you, it works - I knew it's worth asking!

I followed the first method you described but this was actually easier than I thought - I've just mounted the second partition of Slackware install disk and added and replaced all of the files as you described.

It would be cool if this was integrated in the stock installer, ideally without that Hash Tool menu in between.

stormbr 09-13-2020 08:33 PM

Quote:

Originally Posted by ZhaoLin1457 (Post 6165463)
I bought a laptop several months ago, which have no way to disable Secure Boot.

Permit me to doubt that the radical opinions about Secure Boot will help to grown up the Slackware user base...

Have you returned it as it is obviously defective? If not you are part of the problem.

chrisretusn 09-13-2020 09:48 PM

That very idea that I must add something signed by Microsoft to boot my computer appalls me. As long as I can disable secure boot, I will continue do so.

enorbet 09-14-2020 01:03 AM

Quote:

Originally Posted by ZhaoLin1457 (Post 6165463)
I bought a laptop several months ago, which have no way to disable Secure Boot.

Permit me to doubt that the radical opinions about Secure Boot will help to grown up the Slackware user base...

I suppose the very fact that you consented to buy a PC in which your are forced to use MS code with no ability to opt out is good evidence that you would consider such a thing "grown up". That aside, just what is it that you think Secure Boot does to benefit you?

average_user 09-14-2020 05:00 PM

Quote:

Originally Posted by teoberi (Post 6165344)
Or go to hell Microsoft Secure Boot with all their certificates!

Quote:

Originally Posted by enorbet (Post 6165435)
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

Quote:

Originally Posted by chrisretusn (Post 6165533)
That very idea that I must add something signed by Microsoft to boot my computer appalls me. As long as I can disable secure boot, I will continue do so.

Quote:

Originally Posted by enorbet (Post 6165563)
I suppose the very fact that you consented to buy a PC in which your are forced to use MS code with no ability to opt out is good evidence that you would consider such a thing "grown up". That aside, just what is it that you think Secure Boot does to benefit you?


Well, honestly I didn't expect such answers. IMO you think too emotionally.

Imagine a beginner Linux user who tries various distros - Suse, Debian, Fedora and they all boot and work fine. Next thing he/she wants to taste is Slackware because real UNIX, the oldest living distro blah blah and so on. They want to run the installer and what - huge red error, INSECURE stuff. What do they next depends, some people might be dedicated but some will not touch Slackware any more in their life and the only thing they will remember about it is 'the thing that didn't even boot'.


All times are GMT -5. The time now is 09:27 AM.