Here https://www.howtogeek.com/116569/htg...eans-for-linux and in many other places it says that it costs 99 USD. How do you know it's so expensive?

The problem will be when the user can't disable the secure boot in the UEFI bios in the future.

I don't see this as emotional at all. I vastly prefer that at least one distro demonstrates it's commitment to more than the lowest common denominator. Slackware gives a great deal of power and choice but that isn't free. That requires you earn it by actions more meaningful and important than being led around by a Microsoft leash, no matter how comfortable the collar. Yes, there is emotion included in such views but they begin in cold, hard logic and strength of will.

First off, there is very good information in this thread for those who want to use secure boot. Thank you for this post ChrisVV!

Imagine a seasoned user of Linux or other alternative operating system finding out they can no longer run their chosen operating system without getting permission from Microsoft first.

Imagine you are a Windows 10 user and your computer doesn't start because secure boot is turned on.

As for someone wanting to try Slackware and it fails to boot because of secure boot, they can come here to find a solution. If they don't want to take the time to figure things out then Slackware is probably not for them. Secure boot isn't all as secure as Microsoft wants you to believe. Search the internet for BootHole (CVE-2020-10713) attack. Around March of this year, Windows 10 was having issues with secure boot failures.

As a personal computer user I see no advantage on using Microsoft's secure boot.

Secure boot is possible without purchasing anything from Microsoft. Maybe that wasn't always the case. But today, you can create some cryptographic key pairs, update your bios with the keys so it will recognize a signed kernel, and then create an efi_boot configured kernel and sign it with said keys. Your hardware will now secure-boot without purchasing anything from Microsoft. Therefore, that particular bias is no-longer justified.

However, to update the bios with your keys, secure-boot needs to be temporarily disabled.

Therefore, there is still a reason to be disgruntled about any device that had no means to disable it.

Check this out.

You should be able to use the Linux Foundation's PreLoader, or fedora's shim, to bring up any kernel you like, including for the purpose of installing your own secure boot keys. However, having brought up any kernel you like, why bother - why not just rely on the MOK that you used to bring it up? The answer is, if Microsoft's third party signing certificate is not installed in your computer's key database: however if that is the case, and you cannot disable secure boot, then you really are in trouble. But I don't think any consumer computers are in that position.

@chrisVV, as I said I was able to start Slackware -current installer after following the first method you described but I still got the Secure Boot Violation error when booting newly installed Slackware system. You said:

But isn't bootx64.efi on Slackware -current installation disk from https://bear.alienbase.nl/mirrors/sl...64-current-iso actually GRUB and not elilo? I thought that after installing Slackware I could just copy loader.efi to /boot/efi/EFI/Slackware/elilo.efi and this actually works but since this is GRUB and not elilo I just get GRUB shell and Slackware doesn't boot. Do you think I should re-use HashTool.efi and PreLoader.efi to sign elilo.efi that is used to boot installed Slackware system?

Again, what does Secure Boot actually bring to the table as a Benefit and at what Cost? That is by definition, The Bottom Line - Profit or Loss?.

bootx64.efi on the Slackware installation disk (if by that you mean a mounted version of the slackware distribution) is indeed a grub image. You can copy the whole distribution onto an EFI partition if it is big enough and it will be bootable. If you did that, well done for trying it, but it wasn't my suggestion.

My suggestion was that you should copy the files in the slackware usb boot image to the EFI partition on your stick, as that is generally easier as it is a lot smaller. To do that you need to follow steps 2 and 3 before step 4: "2. Mount usbboot.img with 'mount -o loop [/path/to]/slackware64-current/usb-and-pxe-installers/usbboot.img /mnt/loop' 3. Copy the whole of its contents, including directory structure, to the EFI partition on the stick you have just made." That image uses elilo for EFI boots.

You can use whichever approach you want if you know what you are doing. But explaining more clearly what you have done would be helpful.

On "I still got the Secure Boot Violation error when booting newly installed Slackware system", if you are booting the entire distribution you should do the equivalent to what I suggested in relation to slackware's USB boot image: move bootx64.efi to loader.efi, copy PreLoader.efi to your EFI boot medium as bootx64.efi in its place, copy HashTool.efi onto the boot medium and on first boot-up enroll loader.efi. If what you have done is to burn a DVD (you don't say) you would need to assemble all this before burning.

Edit: On your "Do you think I should re-use HashTool.efi and PreLoader.efi to sign elilo.efi that is used to boot installed Slackware system?", I have already dealt with that. As I said, you can move elilo.efi to loader.efi and install PreLoader.efi as elilo.efi. But my overall suggestion was that you should use shim instead.

ok, what I did is I downloaded slackware64-current-install-dvd.iso from https://bear.alienbase.nl/mirrors/sl...64-current-iso, copied to my USB stick:

Then I mounted the second partition of the USB stick, renamed bootx64.efi to loader.efi and tried to copy PreLoader.efi but the partition turned out to be too small:

I backed up bootx64.efi (now loader.efi) and enlarged the partition using fdisk:

I re-created FAT filesystem, restored EFI directory structure and /tmp/bootx64.efi:

I renamed bootx64.efi to loader.efi and copied PreLoader.efi and HashTool.efi:

I enabled Secure Boot in ASUS UEFI settings, booted using the USB stick and was welcomed by 'Hash Tool main menu' and I enrolled hash to loader.efi as shown here https://imgur.com/a/PfPXM33. I have then started the installer but I haven't installed the system, I have disabled Secure Boot and ran my current installation in order to back up important stuff. Next, I have installed Slackware from the USB stick and ran the newly installed system. I have re-enabled Secure Boot in hope that Slackware would just start but I got Secure Boot Violation when booting it as shown at https://i.imgur.com/h4wOX5d.jpg.

So, that's what I did.

I don't know, ask Microsoft and Intel.

In /boot/efi/EFI/Slackware you will have to move elilo.efi to loader.efi, install PreLoader.efi as elilo.efi and install HashTool.efi, and enroll loader.efi again. It looks as if the file system, as well as the file, forms part of the hash. But I think shim is a better choice.

This is a goldmine of good info. I suggest making this topic sticky or even including a howto based on it on the base Slackware documentation.

ok, so at the end of the day I should use HashTool twice - first to sign GRUB that starts the installer and then to sign elilo.efi that boots installed Slackware system.

You mean the second method you described here https://www.linuxquestions.org/quest...7/#post6165346? From what I understand it would require more work in the future with every new kernel. I just want to run Slackware without thinking about Secure Boot on hardware that does not belong to me.

Yes, there should also be an article on that at https://docs.slackware.com. I might write one. It would also be good if one of the methods described in https://www.linuxquestions.org/quest...7/#post6165346 was added to the stock installer but it's up to Pat.