My thoughts on Slackware, life and everything

Tag: grub

Liveslak 1.8.2 re-adds Secure Boot support

When Slackware-current upgraded the Grub package to 2.12,  liveslak lost the ability to boot on a computer with Secure Boot enabled.

Grub 2.12 is a lot stricter than the previous 2.06 release when it comes to trusting the files it loads and executes. The way it works now is as follows (step 1 and 2 are unchanged):

  1. The Secure Boot computer will only load the primary bootloader when that has been signed with a SSL certificate which is stored in NVRAM (the Database key). Unless you have deleted the original Db, the Dbx, the KEK and the Platform Key in order to install your own self-generated keys, this will be a Microsoft certificate.
    Linux distributions nowadays mostly use a UEFI bootloader called “shim” for Secure Boot. The bigger distros have one in their repository which has been signed by Microsoft. Because this Microsoft certificate is already stored in your computer’s NVRAM, the “shim” trusts it and proceeds with booting.
    Slackware does not have a “shim” which is signed by Microsoft, and nor do I. For liveslak I simply re-use one of the signed “shim” packages from either Fedora, OpenSuSE or else Debian.
  2. The “shim” bootloader will only load a secondary bootloader (Grub for example) if it recognizes and trusts the SSL certificate with which that one has been signed.
    The big distros have embedded their own certificate inside their Microsoft-signed “shim” and for that reason, the “shim” implicitly trusts the distro certificate. This “shim” will then accept and load any secondary bootloader which has been signed by that same distro certificate. It allows a distro to have a transparent boot process (Secure Boot or normal boot) without any specific user actions that need to be performed.
    In our case since I signed our Slackware Grub bootloader with my own SSL key and certificate, the “shim” must be taught to accept this certificate as trustworthy. We do this by enrolling the certificate into the MOK – another piece of storage space in the Secure Boot computer’s NVRAM. MOK stands for Machine Owner Key… and you are the Machine Owner. Since you have to be physically present at your computer when you tell the MOK-manager to enroll the liveslak SSL certificate, that makes the certificate trusted.
    How that is done? I wrote an article about that, three years ago: Secure Boot support landed in liveslak 1.5.0 and I invite you to re-read it.
    The “shim” will load our liveslak Grub bootloader after you enrolled the “liveslak.der” certificate in the MOK.
  3. Now it gets “interesting”. Grub 2.06 would happily continue loading the kernel, the initrd and then boot Slackware Live. But Grub 2.12 requires that every file it loads when Secure Boot is enabled, must be signed by a private GPG key for which Grub stores a copy of its public key. Ehh?

I called that new requirement for the boot process “interesting” but actually it was something to tear your hear out over. Debugging the boot of a computer before the stage where the Linux kernel takes over from the bootloader, is extremely difficult.
I had a good look at the Grub documentation and my liveslak sources back in July and August and actually did most of the changes that were needed during that time.

Most of the work back then went into a big rewrite of the iso2usb.sh script. When Grub needs to check a GPG signature for every file it loads from disk, the initrd must be GPG-signed as well. That means, iso2usb.sh is no longer allowed to un-pack, update and re-pack the initrd image file because that will invalidate the GPG signature.
What I did was: re-use the logic that was already implemented in isocomp.sh, a companion script to enable persistence for the Live ISO when that is used on a Ventoy USB disk.
From now on, all customizations of your Live USB stick are stored in the file ‘/liveslak/slackware_os.cfg‘ in the Linux partition. The initrd remains unchanged.

You need to use the latest version of iso2usb.sh though! Delete older versions please. They are incompatible with the new liveslak.

When that rewrite was finished, I needed to find out what the requirements were for the GPG signing process and I needed to find a way to actually use a GPG private key in my scripts without exposing Alien’s own GPG keys. I learned about ephemeral GPG keys: the liveslak ‘make_slackware_live.sh‘ script creates a GPG private/public key pair, does all the signing, stores copies of the GPG public key inside the Grub bootloader image and on the EFI partition, and then erases the private key (it will no longer be used).
Alas, even with all the requirements apparently having been satisfied I kept running into “security violation” messages on boot.

In August, I simply gave up trying to fix this, because it was so frustrating and also because real-life was too demanding.
But during the Christmas holiday, after I had completed much of my AFFiNE cloud server article, I decided to give it another shot. Actually, I had intended to work on a ‘reboot’ of the Live DAW project but the feedback I am getting on my recent blog post is luke-warm and it did not inspire the confidence that more than a few people would actually use a refreshed DAW environment. Not to worry – that DAW refresh is still on my TODO list.
Looking at the liveslak code with a fresh perspective was really helpful and I managed to deal with the missing pieces. The final hurdle was taken when I realized that I needed to update the SBAT file which gets embedded into the Grub boot image, precisely because I am now using a newer Grub version. As I said, hair-tearing.
With good results: the liveslak-1.8.2 is again supporting Secure Boot.

Note: Secure Boot is supported only on 64-bit computers and only after you transferred the ISO Live content to a USB stick using the iso2usb.sh script.

Anything else that’s new?

Most of what happened between releases 1.8.1 and 1.8.2 is small stuff, a lot of these small changes were necessitated by the evolution of Slackware-current and to keep the Live ISOs working.

One thing worth mentioning is this. The liveslak scripts changed a lot internally, but their usage is un-changed  with a single exception. The “-w” or “–wait” parameter to the “iso2usb.sh” script has been removed. It was meant for slow USB sticks where it takes more time for the USB subsystem to settle in the kernel. Using this parameter allowed you to increase the wait time for your USB stick to boot into the Operating System. But I solved that by using a loop in the live init, and the script parameter is no longer needed.

Download Slackware Live Edition

You can find a set of new ISOs based on liveslak on download.liveslak.org/latest/, the 64bit versions of them support Secure Boot.

It will probably work best if you use the ‘iso2usb.sh‘ script provided with liveslak to transfer the ISO content to a USB stick, it will give you a persistent environment with optional data encryption and this will allow it to boot on a lot more computers.
Alternatively, create a Ventoy disk and copy the un-changed ISO on it. You can then use liveslak’s ISO companion script ‘isocomp.sh‘ to add data persistence for that ISO on the Ventoy disk.

Get liveslak sources

The liveslak project is hosted in git. Its browsable cgit interface is here: https://git.liveslak.org/liveslak/

A set of the liveslak scripts can also be downloaded from http://www.slackware.com/~alien/liveslak/ or https://slackware.nl/people/alien/liveslak/

The liveslak public key (SSL certificate in DER encoding) that you need to enroll can be downloaded from https://download.liveslak.org/secureboot/liveslak.der

Let me know your experiences!
Cheers, Eric

Slackware Live Edition

I thought it would be a cool idea to celebrate the “farewell to udev”. With the abandoned ConsoleKit replaced by ConsoleKit2 which is actively maintained by the Slackware-friendly XFCE crew, and Gentoo’s eudev taking the place of udev, we are well equipped to keep systemd out of our distro for a while. Basically eudev contains the udev code as found in the systemd sources, but then stripped from all standards-violating systemd crap and with a sane build system. Hooray, we’re back in business and eudev gained some more traction. Win-win.

How to celebrate the occasion? Easy! By releasing the Slackware Live Edition.

liveslak-1.0.0

Please also check out the original announcement text (moved to a different page) and the follow-up articles on “liveslak” which explain how this project grew from its humble beginnings.

First teasing screenshots of my (then still called) “Project X” were revealed in a blog post in November 2015. I wrote the original annoucement a week later, also in November, on this exact blog page. However, the original text talked about being beta, incomplete and in need of testing. In the meantime, this page’s URL is being linked to from everywhere and I get many questions about “when will it be ready” so I decided to re-write this text into a proper reference page and moved the original text to a different location for posterity.

Note for clueless newbies

The Slackware Live Edition comes with two user accounts: user ‘root’ (with password ‘root’) and user ‘live’ (with password ‘live’). My advice is to login as user live and use “su” or “sudo” to get root access.

Note: the “su” and “sudo” commands will ask for the ‘live’ user’s password!

What is Slackware Live Edition, and what is liveslak?

Slackware Live Edition:
It is a version of Slackware (14.2 and newer)  that can be booted and run directly from a DVD or a USB stick. It is distributed as an ISO image and meant to be a showcase of what Slackware is about. You get the default install, no customizations, but with all the power. You do not have to install Slackware to your harddisk first to experience it first-hand.

Liveslak:
The combination of scripts, bitmaps and configurations to generate the ISO images are called project “liveslak“.

Let me state the reasons I had for starting this “liveslak” project (apart from sheer curiosity):

  1. Provide a Live version of Slackware proper – i.e. show Slackware as it is, but without having to install it. No hiding of kernel messages scrolling across the screen at boot – no custom wallpapers, etcetera. Meant for education and demonstration purposes.
  2. The target should be slackware-current – the bleeding edge. Many people want to know what that looks like but are hesitant to install slackware-current for fear that it breaks stuff and causes productivity loss.
  3. Provide a way to generate a Live ISO with just Slackware packages as the source – fully scripted and deterministic.
  4. Still be able to customize its content – for instance provide stripped-down or minimalist versions of Slackware but also allow for the inclusion of 3rd party packages.
  5. Option to create a bootable USB stick running Slackware Live (which is different from ‘dd’-ing the hybrid ISO to a USB stick!)
  6. Keep It Simple Stupid!

… but I had not anticipated the expansion of scope that can be attributed to the people who have been testing all my Beta versions. They came up with real-life use-cases, worthwhile additions and fixes. My thanks go out to all of you! The “liveslak” is so much more now then I initially conceived. Instead of being just a simple demo-toy it is now usable as a full-blown Live work environment in its own right. I carry a USB stick with a secured Slackware Live on my key chain all the time.

Highlights of Slackware Live Edition

Properly documented

The Slackware Documentation Project contains extensive documentation about “liveslak“, both for users of the Live OS and for people who want to know “how it works”  and want to develop a custom Live OS.
Check it out please, in particular all the boot options for the Live OS.

Good hardware support

The Live OS boots on “good old” BIOS computers but also on modern UEFI hardware (disable secure boot first). The kernel and userland software in the OS is fully up to date and supports modern and older hardware. If your computer does not support a 64bit Operating System then you can just download the 32bit version of Slackware Live Edition.

Persistence

Slackware Live Edition is persistent if you install its ISO to a USB stick using the “iso2usb.sh” script. Persistence of a Live OS means, the things you change or add (or delete) are stored on the USB medium and will survive a reboot. As opposed to the raw ISO image (burnt to a DVD or ‘dd’-ed to a USB stick) which is a pure Live OS where all your modifications are written to a RAM disk and gone when you reboot.

A feature I consider crucial for a persistent Live OS on a USB stick that you carry around with you in your jacket pocket is… data protection!

Data encryption

How do you protect the stuff you are accumulating in your live user’s homedirectory, such as passwords, confidential documents, GPG and SSH keys etc? You lose the USB stick, someone else may steal it – your sensitive files will be compromised. Therefore the Slackware Live Edition allows you to apply strong, unbreakable encryption to your precious data. You have the option to create a LUKS-encrypted container file in the Linux filesystem of the USB stick. The filesystem inside that encrypted container will then be mounted on the /home directory of the Live OS when it boots.
When creating the LUKS container you must enter a passphrase which will be used to encrypt all your data. During the boot-up of the Live OS, you will be prompted to enter this exact passphrase again which will then unlock the container and make your data available. On shutdown, the container will be locked again and a potential thief of your USB stick will be unable to get to the files  (i.e. your homedirectory) which reside in the encrypted LUKS container.

Multiple OS variants or flavors

The “liveslak” scripts are able to generate a variety of Slackware Live ISO flavors: SLACKWARE, XFCE, PLASMA5, MATE, CINNAMON, CUSTOM. The locations where you can download these ISO files are shown in the next paragraph.

  1. By default, “liveslak” creates a 3 GB large ISO from scratch that will give you a complete 64bit Slackware-current Live Edition.
  2. The scripts can also create a 700 MB slimmed-down XFCE version with XDM as the graphical login manager which fits on a CDROM medium or a 1 GB USB stick.
  3. A 4 GB ISO image of Slackware64-current containing Plasma 5 instead of KDE 4 is also an option. The PLASMA5 variant is spiced up with several other packages I maintain: vlc, libreoffice, calibre, qbittorrent, ffmpeg, chromium, openjdk, veracrypt.
  4. The option to generate a 2 GB ISO containing either the Mate or the Cinnamon desktop instead of Slackware’s own KDE 4 could be added courtesy of Willy Sudiarto Raharjo’s repositories.
  5. The “liveslak” scripts allow a large degree of customization so that you can create “your own” variant of a Slackware based Live OS. One example of what’s possible is the Live Edition of Cinelerra CV.

 No custom kernel or 3rd party tools needed

The main script “make_slackware_live.sh” creates an ISO from scratch. The script installs Slackware packages or package sets into compressed “squashfs” modules, configures and optimizes the target filesystem to be run as a Live environment, and then generates an initial ramdisk that will assemble the Live environment when you boot. All that is put into a bootable ISO image file. Thanks to Linux kernel 4.x and the squashfs-tools package added to Slackware 14.2, the process requires no compilation nor does it need non-standard packages to create a Slackware Live Edition (of course, the Plasma, Mate and Cinnamon flavours do require 3rd party packages). The downside is that the ISO has to be created on Slackware 14.2 (older versions of Slackware do not have the proper tools or kernels). It follows that the only Slackware release which is supported as a Live Edition is 14.2 and the “-current” development tree. All future releases will be supported too of course.

Install the Live OS to your hard drive easily

The included program “setup2hd” (all ISOs except the small XFCE variant) is a modified Slackware installer which will guide you through the familiar setup menus and install the content of the Slackware Live Edition to your hard disk. The “setup2hd” program can be run from your X session so that you can keep interacting with the Internet while Slackware installs itself.

setup2hd

Start the builtin PXE server and let the whole LAN run Slackware Live

Load the Live OS into RAM using the “toram” boot parameter and then start “pxeserver” from an X terminal. All computers in your LAN will be able to boot Slackware Live Edition from the network now. Ideal for a hackfest.

pxeserver

Download the ISO images

As stated above, you can choose between several variants of Slackware Live Edition. ISO images for the SLACKWARE, XFCE, PLASMA5 and MATE flavours using the latest Slackware-current packages are available.

The ISO images (with MD5 checksum and GPG signature) are available on the master (bear) and its mirror servers. A symlink called “latest” will always point to the latest set of ISO images.

And if you love the bleeding edge, an ISO file for slackware64-current is automatically (re-)generated every time there is an update to the ChangeLog.txt of Slackware-current. You can find this ISO image here:

Download the source

Git repository for the scripts can be found here:

A checkout of the repository can be found here:

Transfer the ISO content to a medium

  • You can burn the ISO file to a CDROM medium (only the XFCE Edition fits on a CD) or to a DVD,using your favorite burning program like k3b (KDE), xfburn (XFCE), xcdroast (plain X-Window) or brasero (GNOME)… or a Windows burning program if you want.
    Make sure you inform the application that this is a bootable ISO, i.e. do not simply burn the contents of the ISO to a disk.
  • Or, you use the program ‘dd’ or else ‘cp’ to transfer the ISO to a USB stick (aka flash drive). Any of the following two commandlines will do the job, provided your USB stick is known by your Linux computer as “/dev/sdX“. Note that sdX means the whole disk, not a partition on the disk!

    $ dd if=slackware-live-14.2.iso of=/dev/sdX
    $ cp slackware-live-14.2.iso /dev/sdX

    This creates a read-only bootable USB medium containing Slackware Live. Readonly means that you will not get persistence this way. This method is similar to using a DVD medium. If you want a writable USB stick instead, read the next option.

  • You can use the ‘iso2usb.sh’ script to transfer the content of the ISO to a USB stick, thereby adding persistence to the Live OS on the stick. The stick will remain writable and you can add new modules later on if you want.
    You can find extensive documentation on the usage of that script on the Slackware Documentation Wiki.

Booting the Live OS

When you boot Slackware Live on a BIOS computer, Syslinux will handle the boot and show the following menu:

  • Start (SLACKWARE | PLASMA5 | XFCE | MATE) Live (depending on which of the ISOs you boot)
  • Non-US Keyboard selection
  • Non-US Language selection
  • Memory test with memtest86+

You can select a keyboard mapping that matches your computer’s. And/or boot Slackware in another language than US English. You will probably want to change the timezone; syslinux allows you to edit the boot commandline by pressing <TAB> because the syslinux bootmenu does not offer you a selection of timezones.

On UEFI computers, GRUB2 handles the boot and it will show a menu similar (and similarly themed) as the Syslinux menu:

  • Start (SLACKWARE | PLASMA5 | XFCE | MATE) Live (depending on which of the ISOs you boot)
  • Non-US Keyboard selection
  • Non-US Language selection
  • Non-US Timezone selection
  • Memory test with memtest86+

Editing a Grub menu is possible by pressing the ‘e’ key. After making your changes to the boot commandline, press <F10> to boot.

Another difference between Syslinux and Grub menus: in Grub you select keyboard, language and/or timezone and you’ll return to the main menu every time. You still have to select “Start Slackware Live” to boot. In the Syslinux menu, only the keyboard selection menu will return you to (apparently bot not actually) the same main menu. The non-US language selection will boot you into Slackware Live immediately without returning to the main menu. A limitation of syslinux.

liveslak-0.9.0-xfce

 

Things to remember when you boot the ISO

Slackware Live does not log you on automatically! This is a demonstration environment, with the purpose of getting you acquainted with Slackware, remember? Therefore you will first see all these intimidating kernel messages scrolling across the screen while booting the OS. Then you need to login manually.

Consult the documentation for assistance with the various boot parameters you can use to tailor the Live OS to your needs. The syslinux boot has help screens behind the F2, F3, F4 and F5 function keys and the grub boot screen has a “help on boot parameters” menu entry.

How to create a persistent USB stick from the ISO?

The ISO can be burnt to a DVD or copied to USB stick using ‘dd’ or just plain ‘cp’, but that will give you a read-only medium because all changes to the Live OS are in fact written to your computer’s RAM and lost when you reboot.

Use the ‘iso2usb.sh‘ script to create a Live OS on the USB device with persistence.

Note: The “iso2usb.sh” script can also be found in “/usr/local/sbin” when you boot Slackware Live Edition.

By default, the changes you make while running Slackware Live will then be preserved across reboots because the OS will write all these changes to the directory “persistence” in the root of the USB device. The script requires an input and an output parameter at a minimum:

# ./iso2usb.sh -i ~/Download/slackware64-live-14.2.iso -o /dev/sdX

… where /dev/sdX is the device name of your USB stick (the actual device, not a partition on the device).

Alternatively you can use a file “persistence.img” in the root of the USB device which will be loop-mounted by the Live OS and changes to the system will be written to the filesystem inside this container file. A feature which should be appreciated by people who want to use a USB stick with a VFAT partition instead of a Linux ext4 partition. The script requires an additional parameter “-P” in this case:

# ./iso2usb.sh -P -i ~/Download/slackware64-live-current.iso -o /dev/sdX

Note that your USB stick will get formatted by the script – erasing all data currently stored on it. The iso2usb.sh script will pause to show you the characteristics of the target device and ask you once more if you really want to continue erasing it. You will not easily destroy your hard drive unless you are really not paying attention!

How to create a LUKS encrypted homedirectory container?

The iso2usb.sh script has a parameter “-c” which takes a size argument. If you want to create a 400 MB encrypted container file to hide your homedirectory in, then you need to specify “-c 400M”. If you want 2.5 GB for your homedirectory, use “-c 2.5G”. If you are not concerned so much with the exact size but want to allocate a percentage of the free space on the stick, then use “-c 40%” to create a LUKS container that uses 40% of the available free space.

Now to put that into an actual example command line which will create a file (its name will be “slhome.img”) using up 50% of the free space on the stick:

# ./iso2usb.sh -i slackware64-live-xfce-current.iso -o /dev/sdX -c 50%

When the script gets to the point where it creates the LUKS container file, it will prompt you for a passphrase which will be used for encrypting and decrypting the container’s data. Right after that, the script will prompt you to enter that passphrase again when the LUKS container is unlocked and the ISO’s /home content is copied into the container.

Help, I messed up my persistent USB stick!

You can still boot a USB stick containing persistence and/or encrypted LUKS homedirectory to a “pristine condition”.

Suppose you screwed up somehow and the USB stick won’t work properly anymore or won’t even boot to the desktop. If this happens, you can still boot the original unmodified Live OS, discarding all your accumulated persistent changes. The unmodified OS should always boot unless your USB stick is physically damaged.

You have two options to solve the levels of brokenness:

  1. Start by adding the boot command parameter “nop” which stands for “no persistence”. The “nop” boot parameter will  cause Slackware Live to ignore your persistent data, as most probably the persistent data store will contain the cause of your issue. Even when passing “nop” to grub or syslinux, Slackware Live will still mount your encrypted LUKS container on the /home directory if you are using that. It is possible that your issue is somewhere in your homedirectory (for instance you might have an issue with configuration files in ~/.local ~/.config or ~/.kde).
  2. If you want to ignore any LUKS container as well as ignoring the persistent storage, and use the /home directory of the original Live OS, an additional parameter “luksvol=” must be added to the boot commandline. Note that there is nothing at the right side of that equal sign! The two parameters together look like “nop luksvol=“.

After logging in to a pristine Slackware Live you can then remount the Linux partition of your USB stick to make it writable:

# mount -o remount,rw /mnt/livemedia

Now that the USB stick’s partition is writable you can either prune the persistence directory “/mnt/livemedia/persistence” (i.e. delete all data in there) and/or fix the content of your LUKS container file “/mnt/livemedia/slhome.img“.

Have fun! Eric

Below, you will find all the comments made by visitors since the original announcement was posted here on the blog.

© 2025 Alien Pastures

Theme by Anders NorenUp ↑