SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Actually, now that I come to think of it, I don't think you would need to sign the Slackware kernel with your MOK if you were booting it from elilo. You would just need to sign elilo itself. If you booted from GRUB, you would need to sign GRUB and the kernel.
No one says it has to be easy! In any case I haven't used secure boot because my Lenovo tower allows it to be disabled and that's the simplest option if you're not dual-booting with Windows. But I have read up about it and there is something rather seductive about the idea of having that degree of control of what boots on your machine.
My apologies hazel, I was being ironic, trying to demonstrate that even experienced users struggle with the complexities forced on us by the Microsoft driven adoption of SecureBoot.
I agree that the concept is sound. My argument is with the process. This would be so much easier if Microsoft also required manufacturers to include keys from kernel.org
When you first boot the openSUSE installation kit (an USB drive in my care) there's MokManager which ask you to import a certificate. After importing it, openSUSE never remind you regarding Secure Boot.
However, this openSUSE certificate is not the master one, from what I seen.
I tried in another box, which is Secure Boot aware, to play with making my own certificates and signing kernels.
BUT, you should replace on UEFI BIOS the master certificate with yours. At least this way I understand.
That's not an option for me, as I said that I must preserve Windows 10 on that computer.
Also, I do NOT want to replace the master certificate, because I know that some firmware from its devices may be signed with it, so I do not want to brick it. Yeah, you can brick your computer with custom certificates.
Anyway, my son is quite happy with openSUSE, and probably he will try also Slackware, if it ever will be compatible with his computer.
Master key (Platform key) is not used to sign/check EFI binaries.
DB Key is used for this and you can have Microsoft and own keys.
Actually, now that I come to think of it, I don't think you would need to sign the Slackware kernel with your MOK if you were booting it from elilo. You would just need to sign elilo itself. If you booted from GRUB, you would need to sign GRUB and the kernel.
Yes only EFI boot loader need to be signed (elilo, GRUB). Of course there is no point of Secure boot, if kernel is not signed, but it works.
GRUB actually requires signed kernel, if booted in secure mode, not sure if this can be disabled.
Well, I'm using Secure boot for some time now.
Some configurations have only my keys and other where dual boot is required also Microsoft (actually my own and default motherboard keys).
It's relatively easy to set up and everything works without a problem.
I never saw a computer without option to disable Secure boot.
For some it's necessary to first set BIOS password or enable CSM or something, but it can be disabled.
Well, I'm using Secure boot for some time now.
Some configurations have only my keys and other where dual boot is required also Microsoft (actually my own and default motherboard keys).
It's relatively easy to set up and everything works without a problem.
Okay, you have all my attention. Please explain in details how you do this, specially the way when you do not nuke the Microsoft keys.
Quote:
Originally Posted by davjohn
I never saw a computer without option to disable Secure boot.
For some it's necessary to first set BIOS password or enable CSM or something, but it can be disabled.
Mine's has no options for disabling Secure Boot or regarding enabling CSM. And at least it has a BIOS password set.
But I have other boxes which are capable of UEFI and Secure Boot, for testing it.
Last edited by LuckyCyborg; 07-29-2021 at 02:29 PM.
I was being ironic, trying to demonstrate that even experienced users struggle with the complexities forced on us by the Microsoft driven adoption of SecureBoot.
Those "complexities" are just one time question for openSUSE. Why could NOT be same for Slackware?
Because of principles or "simplicity" to use? I remember someone saying often than one time:
Do not complicate your life for the sake of simplicity.
I would like to do an adagio regarding Secure Boot:
Do not complicate our life for the sake of simplicity!
Last edited by LuckyCyborg; 07-29-2021 at 02:52 PM.
which will enable you to stop whining about Slackware not having implemented a questionable function.
Are there any issues for the end users who don't have secure boot enabled running Slackware if it is secure boot supported? I don't know enough about this, but I doubt it.
Sure, computers only supporting secure boot or dual booting with Windows 11 that requires secure boot to be enabled is something that many probably feel is questionable. Having Slackware support those situations -- as long as it doesn't affect users that can keep secure boot disabled -- doesn't seem like a questionable thing. It seems like common sense.
What are the issues you see for non-secure boot users if Slackware were to introduce secure boot support? Are there any? I can only see positives by supporting those questionable decisions by hardware manufacturers and Microsoft other than not taking a stand, but Linux distros, let alone Slackware directly, don't really have the clout to push for a change.
In that day I had to buy a laptop for my son, because it was required at school.
Read: me going at the local computer shop and returning home with a laptop, no further alternatives available.
And this particular model looked the best compromise between the hardware performances and price.
When the alternatives on my price range was some netbooks driven by AMD E2-2500 and Intel Atoms, I apologize to not thinking about principles, choices and freedoms, but about getting the best hardware for the lowest price possible. Anyway I payed for it half of my monthly salary.
I have huge sympathy for LuckyCyborg here. I have been in a similar situation trying to balance my daughter's requirements for a school laptop, her desire for a laptop which she is not ashamed to show her friends and my need to get value for money and decent performance. In such a situation checking whether secure boot can be disabled was not at the front of my mind.
She is happy to run Windows 10 on it. When I inherit it in a few years time I will want to install Slackware on it.
Today's brand new laptops are the older laptops of tomorrow. I would like to be able to install Slackware in the future without having to jump through unnecessary secure boot hoops.
Quote:
Sure, computers only supporting secure boot or dual booting with Windows 11 that requires secure boot to be enabled is something that many probably feel is questionable. Having Slackware support those situations -- as long as it doesn't affect users that can keep secure boot disabled -- doesn't seem like a questionable thing. It seems like common sense.
I agree; this approach does seem like common sense
Last edited by amikoyan; 07-29-2021 at 04:42 PM.
Reason: mispellings
I have been in a similar situation trying to balance my daughter's requirements for a school laptop, her desire for a laptop which she is not ashamed to show her friends and my need to get value for money and decent performance.
We didn't have a choice. My daughter's school specified a MacBook, so that's what we bought. They have a special arrangement with Apple. We get the computer at a price cheaper than retail, and we pay for it in even instalments over 3 years. At the end of that, she'll get an upgrade.
Quote:
Originally Posted by amikoyan
She is happy to run Windows 10 on it.
Again, no choice for us. The school specifed MacOSX, so that's what she has. But then they use GAfE anyway... It boggles my mind. You can use Google Apps on anything.
Quote:
Originally Posted by amikoyan
When I inherit it in a few years time I will want to install Slackware on it.
No plans to do anything like that here. I'll be selling it for whatever the market price is at the time for 3 year old Macbooks.
I'm more than happy with my (now 3 year old) XPS-15. The battery still lasts 8 hours if I close the lid and use an external screen. Awesome machine. And I had no problem disabling Secure Boot on it.
Yes, but you didn't HAVE to buy that one, did you?
You could go with option 3
What I mean is, for the immediate future you can still find recent hardware that WILL have the option to disable secureboot.
Eventually, though, I'm afraid your options will become more limited...
then again you just load this keys and your own.
I can explain step by step how I loaded my keys, if anyone is interested.
Also some firmware have different name for disabling Secure boot, for ex. my ASUS firmware have setting called "OS Type" with options "Windows UEFI mode" or "Other OS".
"Other OS" disables Secure boot.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.