You do a big confusion there!

In fact, there's a master key stored in the EFI, which can be only one, and multiple signing keys. It's kinda like the SSL certificates, where Microsoft is CA.

From Microsoft, a distribution needs to buy a signing key (which is on private and public variant) then they can sign as many binaries as they want.

Directly signed by Microsoft should be only the SHIM binaries, both the loader and the MokManager, because those should be able to run without your own signing key being loaded yet on EFI.

At least, this way I have understand this story.

Also openSUSE marches on Secure Boot enabled systems like did the Red Army on the road to Berlin. Not tried Fedora, BUT I believe that it have no issues too with Secure Boot.

In fact, the SINGLE major distribution which still have troubles with Secure Boot is Slackware.

1 members found this post helpful.

Linux distributions running on virtual machines may be increasingly used. In many places that use linux as in CERN it is used like this.

Windows WSL can be something in that direction as well.

There is more incorrect and useless speculation than accuracy in most of the threads about secure boot in the Slackware forums (and quite probably on many other issues as well). Fedora and Ubuntu will boot on secure boot enabled systems because they supply shim and MokManager EFI binaries which have been signed via Microsoft's signing service. It would be relatively straightforward for slackware to do the same if wanted. None of this relies on the ability of users to mess about with the PK, KEK and DB keys already installed on their machines via their BIOS. (You can do that, but if you do, you would no longer be able to boot Windows.)

However it would not be necessary for slackware to go down the Microsoft signing service route. Slackware could use the MokManager and shim EFI binaries from Fedora as they stand, which are available from the fedora repo. The slackware distribution would need to sign its kernel with a slackware key. You would then need users as a first step to enter this slackware key into their computer's NVRAM via MokManager on first boot up of the installation media. After that, the slackware boot media would be recognised.

Slackware is quite conservative so may not do any of that. But if you have another computer available to prepare the media yourself, it is trivial to sign slackware media with your own key and enter your key into MokManager on your target machine on first boot. I have no problem installing slackware on secure boot only computers.

8 members found this post helpful.

Well, you can add to this discussion that some computer manufacturers are more or less friendly towards GNU/Linux, and that any lack of friendliness would result in (slightly) less sales for them for people who would chose the friendly manufacturer over the unfriendly one. In my own experience, Acer has been quite friendly and I doubt they will change this anytime soon. They have been selling whiteboxes and GNU/Linux versions of several of their products (at a windows deducted price, aka cheaper). There are other companies as well, like Dell, and others that I haven't paid attention to.

Then we also have "other" manufacturers that ONLY ships with GNU/Linux, and unlike 10-15 years ago, the quality is comparable to major manufacturers, even "better" in some cases. So, I doubt we will be out of options anytime soon, unlike the mobile market which has been locked to a corrupt duopoly. It looked like computers were also moving in that direction, but it hasn't panned out. And even if it did, the "other" manufacturers are still established. In the mobile market, the problem is different, the duopoly is enforced/normalized at the manufacturing level, meaning few or nobody will manufacture for anyone else than the giants who adhere to the duopoly, which makes it near impossible to launch a mobile product and participate in that market. With computers it's different, it is already established.

It is worth considering supporting them as well by buying their products. And not only to support them, but because their products are generally very good these days.
A few examples:
Tuxedo Computers
System76
Purism

And there are others as well.

3 members found this post helpful.

A lot of OEMs don't have GNU/Linux on their radar unfortunately. It's still mainly considered a server class OS and a hobbyist desktop system, and the same goes for the BSDs. That may change with SteamOS and SteamDeck, but I seriously doubt it. ANY UNIX-like or UNIX-based system is always going to play second fiddle to Windows.

As far as how Slackware could go about it, well best leave that up to Patrick, but honestly, I'd favor whatever is less a headache, easier to accomplish, and more native to Slackware and the Slackware methodology, even if that means a Microsoft signed kernel, it's just a signature authority, nothing more or less.

Best to keep Fedora as far away as possible. We have really no idea how different their stuff is compared to Slackware stuff. Fedora is Fedora and Slackware is Slackware.

2 members found this post helpful.

Aren't these certificates (MS) commercially available only?
If so, just buy them for Slackware if you want problem solved or face issues with custom convoluted approach at least for now. Maybe in the future MS will give these certificates for free, but now the only option is to use commercially backed distros e.g. Opensuse, Fedora, Ubuntu if you want easy secure boot option.

This reminds me a bit about UEFI being first introduced and grim stories about linux not being able to boot UEFI systems. As far as I know, linux boots fine on UEFI (without secure boot option though). Same thing probably will happen with secure boot (being easily available for linux).

I would't have such high faith in the OEMs actually. Those are the same manufacturers that co-operated with Microsoft for decades to monopolize the market and force feed consumers to buy Windows with every computer. It's not like Microsoft did it all on their own.

GNU/Linux DID exist at the highpoint of this monopoly, so did freeBSD and others. All those menufacturers were free to deliver the same products at a reduced price with GNU/Linux instead of Windows, or freeBSD. They could have made drivers available for those operating systems instead, and even made their own custom OS out of those, it's not like they lacked resources. Some of them have even proven that to be fully viable in the aftermath. Acer for example have their own GNU/Linux distro, and it's not bad (just not something for a GNU/Linux enthusiast).

Many of those same companies have developed their own OS'es or forks of things like Meego, so it's not like they are unable to do such things, just unwilling. Sony made their own (quite excellent) version of FreeBSD and has been using it in consumer devices since 2013 (PS4). They could have done that on PC as well, but they didn't.

Neither did any of those OEM's offer GNU/Linux as an alternative or let people try it, by offering it as say a dual boot option. They could have done that, but they didn't. No, instead they acted as salesmen for Microsoft, adding a reduced price Windows onto all their products (€50-€100), and undoubtedly received commissions or some advantage from their tight co-operation with Microsoft. It might even be that other commercial OS companies would have wanted to have a chance as well.

But hey, in hindsight this OEM/Microsoft monopoly was not so bad. Look what we have nowadays, we have tyrants like Google and Apple completely locking down the mobile market and micromanaging their slaves, eh, I mean "customers". So, it's pretty clear to me that Microsoft was actually very bad, but the sad thing is that relatively speaking they do not look so bad anymore. But hey, it's not like Google and Apple is just offering people communist uniform production-line products that are all the same, and thus restrict the freedom and creativity of the whole market, by owning it from the top (UI) to bottom (manufacturers). It's not like Apple and Google is actually just offering people the same uniproduct over and over again.

Just like George W Bush, Microsoft doesn't look so bad these days, and one might even relatively speaking remember those as "better times". Surely not for a lack of trying, Microsoft should be commended for not locking down PC products the same way Apple and Google has locked down mobile products, right?

PS. There is some sarcasm infused into parts of the post, I hope that can be distinguished

You are suggesting that the financial balance of Slackware, Inc. is so bad that it's impossible for them to spend 250 dollars one time only?

I would think it is a matter of principles as well.

With all respect, it's all about hardware, not about principles.

It's all about the operating system's working or NOT on a certain part of the hardware sold today.

And it's all about losing or gaining potential customers.

In other hand, there's simple: anybody paying one trillion dollars or so, to the hardware manufacturers could convince them to everybody to ship a custom SSL certificate on their motherboard.

It's all about moneys. And customers.

It's like the shop owner who demand you kiss their ass before you are allowed to buy bread.

Would you surely not buy bread in another way?

1 members found this post helpful.

I love slackware been using it for better part of 20 years. Want to go on. 15 is taking its time so using debian buster.

What you say, has noting to do with reality. It's just radicalism in a fantasy world.

In fact, Microsoft is just a Certificate Authority. One of them.

Because I seen computers with Ubuntu preinstalled, which have the Ubuntu certificate on motherboard.

And I heard that there are SUSE computers too.

With all respect, it has always been about the principles and who mandates control of the hardware.

Yes, we know it can be done, but the production and enrollment of keys for every kernel change is at best an inconvenience while at worst has potential for a bricked system.

Giving up the principle for expediency reminds me of the old quip.

Totally agree with the rest of the comments.

1 members found this post helpful.

So, you came with an article written 10 (ten) years ago regarding Secure Boot?

Man, many, many things changed on 10 years of computing...

Let me show how openSUSE does the things today, because I live on TODAY:

https://en.opensuse.org/openSUSE:UEFI
https://drivers.suse.com/doc/Usage/S...rtificate.html
https://doc.opensuse.org/documentati.../cha-uefi.html

Yeah, it's all about importing an openSUSE certificate (that $250 worth thing) then you will be happy the rest of your life with that openSUSE installation under Secure Boot.

I testify you that what's really happens, because I did this certificate import also myself, as openSUSE user.

I for one, I used with no issue also Ubuntu under Secure Boot. Also it needs importing a certificate and that's all.

In fact, I do not believe that any major Linux distribution (excluding Slackware) has issues with Secure Boot on the year 2021 after Christ.

I believe that IF the Slackware refuses today to support Secure Boot, this will have exclusively a commercial effect: shunning away a certain part of its potential customers, which have plenty of alternatives anyway.

Hence, the question: we want the people to use Slackware, or NOT?