LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-13-2020, 03:09 AM   #1
average_user
Member
 
Registered: Dec 2010
Location: Warsaw, Poland
Distribution: Slackware
Posts: 534

Rep: Reputation: 212Reputation: 212Reputation: 212
Start Slackware installer without disabling UEFI Secure Boot first?


I might need to install Slackware on new hardware soon and I wonder if it's possible to start installer and install Slackware without disabling UEFI Secure Boot first. I have ASUS Z97-A and I have to disable Secure Boot before running Slackware installer or I get error message as shown here https://i.imgur.com/h4wOX5d.jpg (Secure Boot is enabled by default so I have to disable it explicitly). On the other hand I tried to run Ubuntu 20.04.1 LTS ISO with Secure Boot enabled and to my surprise it just worked. I don't know how it works but there are some details here https://wiki.ubuntu.com/UEFI/SecureBoot. Would it be possible to make Slackware work with Secure Boot enabled?
 
Old 09-13-2020, 03:40 AM   #2
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 710

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by average_user View Post
I might need to install Slackware on new hardware soon and I wonder if it's possible to start installer and install Slackware without disabling UEFI Secure Boot first. I have ASUS Z97-A and I have to disable Secure Boot before running Slackware installer or I get error message as shown here https://i.imgur.com/h4wOX5d.jpg (Secure Boot is enabled by default so I have to disable it explicitly). On the other hand I tried to run Ubuntu 20.04.1 LTS ISO with Secure Boot enabled and to my surprise it just worked. I don't know how it works but there are some details here https://wiki.ubuntu.com/UEFI/SecureBoot. Would it be possible to make Slackware work with Secure Boot enabled?
I doubt that Slackware Installer will ever start over UEFI Secure Boot, because from what I understand, the Slackware kernels and bootloaders aren't signed with Microsoft Secure Boot certificates.

However, the RHEL, SuSE or Ubuntu kernels and bootloaders are signed, then they will work in this environment.

So, in the Slackware case, I believe you must disable this feature - or IF you can't, you should throw the towel.
 
4 members found this post helpful.
Old 09-13-2020, 04:26 AM   #3
average_user
Member
 
Registered: Dec 2010
Location: Warsaw, Poland
Distribution: Slackware
Posts: 534

Original Poster
Rep: Reputation: 212Reputation: 212Reputation: 212
Quote:
Originally Posted by LuckyCyborg View Post
However, the RHEL, SuSE or Ubuntu kernels and bootloaders are signed, then they will work in this environment.
Yes, that's the reason but if they can do that couldn't Slackware do that as well?

So far I have always been able to disable Secure Boot but if I could run Slackware with Secure Boot enabled it would be slightly easier to install it because sometimes finding an option to disable Secure Boot in UEFI interface can take more than a while. I heard that motherboards manufacturers have to provide option to disable Secure Boot but what if this requirement changes or company policy prevents me from disabling it?
 
Old 09-13-2020, 04:45 AM   #4
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 710

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by average_user View Post
Yes, that's the reason but if they can do that couldn't Slackware do that as well?

So far I have always been able to disable Secure Boot but if I could run Slackware with Secure Boot enabled it would be slightly easier to install it because sometimes finding an option to disable Secure Boot in UEFI interface can take more than a while. I heard that motherboards manufacturers have to provide option to disable Secure Boot but what if this requirement changes or company policy prevents me from disabling it?
Yes, probably Slackware can sign its kernels and bootloaders too...

The catch is: IF someone convinces Mr. Volkerding to buy a Microsoft certificate for Slackware - BTW, from what I heard that this certificate costs like a really good sports car, i.e. Ferrari 488 Pista, then do the math about probability of seeing (or not) middle fingers if you ask for this.

However, you are aware that even the Slackware signs its things and ran fine over Secure Boot, you still will never be able to run your custom and unsigned kernels in the same way?

To run your own built kernel, you will need anyway to disable Secure Boot.

Last edited by LuckyCyborg; 09-13-2020 at 05:48 AM.
 
1 members found this post helpful.
Old 09-13-2020, 06:21 AM   #5
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 196

Rep: Reputation: 124Reputation: 124
Quote:
Originally Posted by LuckyCyborg View Post
Yes, probably Slackware can sign its kernels and bootloaders too...

The catch is: IF someone convinces Mr. Volkerding to buy a Microsoft certificate for Slackware - BTW, from what I heard that this certificate costs like a really good sports car, i.e. Ferrari 488 Pista, then do the math about probability of seeing (or not) middle fingers if you ask for this.

However, you are aware that even the Slackware signs its things and ran fine over Secure Boot, you still will never be able to run your custom and unsigned kernels in the same way?

To run your own built kernel, you will need anyway to disable Secure Boot.
Or go to hell Microsoft Secure Boot with all their certificates!
 
2 members found this post helpful.
Old 09-13-2020, 06:50 AM   #6
chrisVV
Member
 
Registered: Aug 2010
Posts: 426

Rep: Reputation: 233Reputation: 233Reputation: 233
Yes, you can install, and run, slackware64-current on a computer with secure boot enabled (I do it). You will need an existing machine running linux to prepare your boot sticks.

The easiest way, which is not in my view the best way, is to use the Linux Foundation's PreLoader.efi and HashTool.efi, and enrolling elilo.efi in your MOK using HashTool, which will be brought up the first time you boot. You can do this this way:

1. First you need a (non-secure boot) slackware boot stick with an actual real EFI partition, formatted for a VFAT file system with partition type "EFI System partition." (code EF00). One way of doing that is to delete every existing file and partition on the stick, and make an EFI partition on it. You can have, say, a second ext4 partition with the latest slackware current distribution on it, if your stick is big enough (a 10GB stick should do), or you can even have the whole stick as an EFI partition and put the slackware distribution on it.

2. Mount usbboot.img with 'mount -o loop [/path/to]/slackware64-current/usb-and-pxe-installers/usbboot.img /mnt/loop'

3. Copy the whole of its contents, including directory structure, to the EFI partition on the stick you have just made.

4. Go to the EFI/BOOT directory you will now have on the stick, move bootx64.efi to loader.efi (it is actually a copy of elilo.efi) and copy PreLoader.efi to the stick as bootx64.efi in its place. Copy HashTool.efi to EFI/BOOT as HashTool.efi.

Now you should be able to boot that stick in secure boot mode. The first time you boot the stick, PreLoader.efi will invite you to hash a file, and you should hash your loader.efi (the renamed original bootx64.efi which is a copy of elilo.efi). This works because PreLoader.efi has been signed by Microsoft's key for third party uefi applications, the public certificate for which will be in the computer's efi db, and Preloader.efi will in turn verify via the hash obtained from HashTool.efi what it is handing off to, namely elilo. Once you have installed slackware on your hard disk, via PreLoader.efi you should be able to boot off the same loader.efi (renamed as elilo.efi) whose hash you have entered above, in order to boot up your computer off the hard disk. You might as well keep a copy of HashTool.efi in your computer's EFI partition also in case you need it to enter a new hash for a new elilo.efi, and put an EFI boot manager entry for PreLoader.efi using efibootmgr to enable booting directly to it from the EFI boot manager to then hand over to elilo.efi.

But this is definitely not the best way to do it, although it is the easiest. It is not the best because it drives a coach and horses through the purpose of secure boot - elilo will be able to boot any kernel, secure or not. Better is to use fedora's shim with grub, whereby you can sign individual kernel images which you want to be able to boot. To do that on a new secure-boot-only system you need start with two boot sticks, the first to enroll your signing key in MokManager, and the second to boot up and install slackware after you have entered the key. To do this:

1. Obtain shim from Fedora's website (I use shim-x64-15-8.x86_64.rpm), explode the rpm and obtain the efi binaries shimx64.efi and mmx64.efi. shimx64.efi has been pre-signed by Microsoft's and fedora's keys but will only hand over to a kernel image which has been signed with a key entered in MokManager. mmx64.efi is the MokManager efi and is used to enter your key for that purpose.

2. Prepare a stick (Stick 1) with nothing on it except an empty EFI partition with the /EFI/BOOT directory on it. Copy shimx64.efi to it as bootx64.efi, and mmx64.efi as grubx64.efi.

3. Prepare a second stick (Stick 2) like the usbboot.img stick mentioned above, but without PreLoader.efi or HashTool.efi, and with shimx64.efi copied to /EFI/BOOT as bootx64.efi, and with the EFI partition as the first partition.

3. Generate a MOK signing key with:
Code:
openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout MOK.key -out MOK.crt \
        -nodes -days 3650 -subj "/CN=Your Name/"
openssl x509 -in MOK.crt -out MOK.cer -outform DER
This will provide the MOK certificate in both PEM (MOK.crt) and DER (MOK.cer) forms. The private part is MOK.key. Copy MOK.crt and MOK.cer to /BOOT/EFI on Stick 1 (MokManager requires the DER form but you might as well include the PEM one as well).

4. Prepare a grub image as follows:

Code:
grub-mkimage --format=x86_64-efi --output=grubx64.efi.unsigned --compression=xz \
    --prefix="" part_gpt part_msdos fat ext2 hfs hfsplus iso9660 udf ufs1 ufs2 zfs \
    chain linux boot appleldr configfile normal regexp minicmd reboot halt search \
    search_fs_file search_fs_uuid search_label gfxterm gfxmenu efi_gop efi_uga \
    all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help \
    ls png jpeg tga test at_keyboard usb_keyboard shim_lock
Sign the generated grub64.efi.unsigned grub image with your signing certificate using sbsign-tools (which you will have to install yourself). Copy the signed version as /EFI/BOOT/grubx64.efi on Stick 2.

5. Move huge.s on Stick 2 to huge.s.unsigned and sign it also with your signing certificate as huge.s.

6. Put a grub.cfg file in /EFI/BOOT on Stick 2 with something like this in it:

Code:
set default="0"
set timeout="30"
set hidden_timeout_quiet=false

menuentry "Install/rescue, no KMS" {
  echo "Loading huge.s kernel and installer initrd.  Please wait..."
  linux /huge.s vga=normal load_ramdisk=1 prompt_ramdisk=0 ro printk.time=0 nomodeset SLACK_KERNEL=huge.s
  initrd /initrd.img
}
menuentry "Install/rescue, KMS" {
  echo "Loading huge.s kernel and installer initrd.  Please wait..."
  linux /huge.s vga=normal load_ramdisk=1 prompt_ramdisk=0 ro printk.time=0 SLACK_KERNEL=huge.s
  initrd /initrd.img
}
menuentry "Boot Slackware" {
  echo "Booting Slackware ..."
  linux /huge.s vga=normal root=/dev/[sdaX] rootfstype=ext4 ro
}
I say "something like" because my directory structure is slightly different and this one follows the structure of usbboot.img referred to above. [sdaX] should be the intended root slackware partition on your computer's hard disk after installation. Grub should be able find the root directory for the huge.s kernel image and initrd.img image by itself if the EFI partition is the first partition and those images are in that partition.

7. Then boot with Stick 1 and enter your public signing key MOK.cer in MokManager.

8. Then boot with Stick 2 and install slackware.

9. Once you have installed slackware, you can boot it up with Stick 2 using the "Boot Slackware" entry mentioned, but you will also want to make a directory "grub" in /boot/efi/EFI, copy to it your signed grub image referred to above as grubx64.efi, copy shimx64.efi to it, sign also your current /boot/vmlinuz kernel image on your computer, have a grub.cfg file in /boot/efi/EFI/grub/ with an appropriate stanza to boot up your signed /boot/vmlinuz, and provide a EFI boot manager entry for shimx64.efi using efibootmgr (and make it the default boot menu item) so you don't have to go to the EFI boot manager every time you boot.

Every time you install a new slackware kernel you will have to resign /boot/vmlinuz with your key. I think that is about it. If anything else comes to mind I will do an edit. All this assumes that your new computer comes with Microsoft's public key for third party uefi applications already installed. I think that at present all consumer computers do, but if it doesn't you are stuffed. Caveat emptor.

Edit: If all you want to do is to run a slackware computer in secure boot mode that has already had slackware installed on it while secure boot was off, that is obviously a lot easier. You could just go to /boot/efi/EFI/Slackware, move elilo.efi to loader.efi, install PreLoader.efi as elilo.efi and install HashTool.efi and reboot with secure boot enabled, and then enroll elilo.efi (as renamed as loader.efi). Or you could make a /boot/efi/EFI/grub partition, prepare it with the shim, grub and mmx images as mentioned above and an accompanying grub.cfg file, and sign /boot/vmlinuz. You could then add two new entries to your EFI boot menu using efibootmgr, one to boot shimx64.efi which then boots straight into mmx64.efi (by renaming mmx64.efi as grubx64.efi) so you can enter your signing key without the need for a boot stick, and another (the default boot) to boot into shimx64.efi which will then hand off to the real grubx64.efi, thence to the signed kernel image.

Last edited by chrisVV; 09-14-2020 at 03:29 AM. Reason: Add text for a case where slackware is already installed.
 
12 members found this post helpful.
Old 09-13-2020, 01:20 PM   #7
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys
Posts: 3,008

Rep: Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

MS reminds me of this guy --- Only ONE ---

Last edited by enorbet; 09-13-2020 at 01:25 PM.
 
5 members found this post helpful.
Old 09-13-2020, 02:32 PM   #8
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 196

Rep: Reputation: 124Reputation: 124
Quote:
Originally Posted by enorbet View Post
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

MS reminds me of this guy --- Only ONE ---
Totally agree with you sir.
P.S. I have been working in education for 20 years and I know what I'm talking about!
 
1 members found this post helpful.
Old 09-13-2020, 02:46 PM   #9
ZhaoLin1457
Member
 
Registered: Jan 2018
Posts: 449

Rep: Reputation: 479Reputation: 479Reputation: 479Reputation: 479Reputation: 479
Quote:
Originally Posted by enorbet View Post
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.

MS reminds me of this guy --- Only ONE ---
I bought a laptop several months ago, which have no way to disable Secure Boot.

Permit me to doubt that the radical opinions about Secure Boot will help to grown up the Slackware user base...
 
3 members found this post helpful.
Old 09-13-2020, 05:46 PM   #10
quickbreakfast
Member
 
Registered: Oct 2015
Posts: 137

Rep: Reputation: Disabled
Quote:
Originally Posted by average_user View Post
Would it be possible to make Slackware work with Secure Boot enabled?
Yes. It is possible to install and run Slackware with secure boot enabled because I recently installed 14.2 with secure boot enabled.

It wasn't untill a bit later that I began to wonder whether I had disabled secure boot when I replaced the motherboard so went looking that I found secure boot was enabled.

Secure boot is now disabled, but several things are disabled by the BIOS.

My machine requires a EFI partition, so your machine probably will too.

From memory, the EFI partition is 240M and set using cfdisk as part of the install and is listed in my fstab.

Warning. When partitioning the drive the system (I used cfdisk) kept wanting to list my root partition as a Microsoft partition and assign the EFI partition with the boot flag. Thus make sure the root partition is linux.

When the install finishes use gparted to check and possibly move the boot flag from the EFI partition to the root partition.
 
1 members found this post helpful.
Old 09-13-2020, 06:18 PM   #11
average_user
Member
 
Registered: Dec 2010
Location: Warsaw, Poland
Distribution: Slackware
Posts: 534

Original Poster
Rep: Reputation: 212Reputation: 212Reputation: 212
@chrisVV, thank you, it works - I knew it's worth asking!

I followed the first method you described but this was actually easier than I thought - I've just mounted the second partition of Slackware install disk and added and replaced all of the files as you described.

It would be cool if this was integrated in the stock installer, ideally without that Hash Tool menu in between.

Last edited by average_user; 09-13-2020 at 06:40 PM.
 
Old 09-13-2020, 08:33 PM   #12
stormbr
Member
 
Registered: Aug 2007
Location: Brazil
Distribution: Slackware 14.1 x86_64
Posts: 34

Rep: Reputation: 22
Quote:
Originally Posted by ZhaoLin1457 View Post
I bought a laptop several months ago, which have no way to disable Secure Boot.

Permit me to doubt that the radical opinions about Secure Boot will help to grown up the Slackware user base...
Have you returned it as it is obviously defective? If not you are part of the problem.
 
1 members found this post helpful.
Old 09-13-2020, 09:48 PM   #13
chrisretusn
Senior Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware64-current
Posts: 1,289

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
That very idea that I must add something signed by Microsoft to boot my computer appalls me. As long as I can disable secure boot, I will continue do so.
 
4 members found this post helpful.
Old 09-14-2020, 01:03 AM   #14
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys
Posts: 3,008

Rep: Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074Reputation: 3074
Quote:
Originally Posted by ZhaoLin1457 View Post
I bought a laptop several months ago, which have no way to disable Secure Boot.

Permit me to doubt that the radical opinions about Secure Boot will help to grown up the Slackware user base...
I suppose the very fact that you consented to buy a PC in which your are forced to use MS code with no ability to opt out is good evidence that you would consider such a thing "grown up". That aside, just what is it that you think Secure Boot does to benefit you?
 
4 members found this post helpful.
Old 09-14-2020, 05:00 PM   #15
average_user
Member
 
Registered: Dec 2010
Location: Warsaw, Poland
Distribution: Slackware
Posts: 534

Original Poster
Rep: Reputation: 212Reputation: 212Reputation: 212
Quote:
Originally Posted by teoberi View Post
Or go to hell Microsoft Secure Boot with all their certificates!
Quote:
Originally Posted by enorbet View Post
IMHO Secure Boot is yet another bullying tactic literally as criminal as Armed Robbery. MS routinely uses the power of 90+% market share, with claws firmly embedded in Military, Government, Education, and almost everything that matters in society to a degree that emphasizes "Power Corrupts". Frankly I consider Debian and RedHat cowardly for having caved in to what amounts to mildly terrorist ransom. I seriously doubt that Mr. Patrick Volkerding or ANY of the contributers is so weak and unprincipled.
Quote:
Originally Posted by chrisretusn View Post
That very idea that I must add something signed by Microsoft to boot my computer appalls me. As long as I can disable secure boot, I will continue do so.
Quote:
Originally Posted by enorbet View Post
I suppose the very fact that you consented to buy a PC in which your are forced to use MS code with no ability to opt out is good evidence that you would consider such a thing "grown up". That aside, just what is it that you think Secure Boot does to benefit you?

Well, honestly I didn't expect such answers. IMO you think too emotionally.

Imagine a beginner Linux user who tries various distros - Suse, Debian, Fedora and they all boot and work fine. Next thing he/she wants to taste is Slackware because real UNIX, the oldest living distro blah blah and so on. They want to run the installer and what - huge red error, INSECURE stuff. What do they next depends, some people might be dedicated but some will not touch Slackware any more in their life and the only thing they will remember about it is 'the thing that didn't even boot'.

Last edited by average_user; 09-14-2020 at 05:02 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] BIOS - disabling Secure Boot when UEFI Boot Mode is active abga Slackware 2 02-28-2018 05:46 PM
If you disable Secure Boot, is UEFI still more secure than BIOS boot? Ulysses_ Linux - Security 4 05-30-2017 10:08 AM
Mobo only supports uefi boot - how do I boot off a non-uefi cd? Ulysses_ Linux - Hardware 3 02-25-2016 08:06 PM
disabling secure boot when secure boot is not an option in BIOS? chexmix Slackware 10 05-28-2015 06:13 PM
LXer: Microsoft Says No to Disabling UEFI Secure Boot on ARM LXer Syndicated Linux News 0 01-16-2012 06:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration