this post was submitted on 25 Feb 2025

48 points (100.0% liked)

Privacy

800 readers

67 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

secureblue: Hardened Fedora Atomic and Fedora CoreOS images (secureblue.dev)

submitted 6 days ago by Charger8232@lemmy.ml to c/privacy@lemmy.ml

13 comments fedilink hide all child comments

cross-posted from: https://lemmy.ml/post/26453685

Not many people have heard about secureblue, and I want to spread the word about it. secureblue provides hardened images for Fedora Atomic and CoreOS. It's an operating system "for those whose first priority is using linux, and second priority is security."

secureblue provides exploit mitigations and fixes for multiple security holes. This includes the addition of GrapheneOS's hardened_malloc, their own hardened Chromium-based browser called Trivalent, USBGuard to protect against USB peripheral attacks, and plenty more.

secureblue has definitely matured a lot since I first started using it. Since then, it has become something that could reasonably be used as a daily driver. secureblue recognizes the need for usability alongside security.

If you already have Fedora Atomic (e.g. Secureblue, Kinoite, Sericea, etc.) or CoreOS installed on your system, you can easily rebase to secureblue. The install instructions are really easy to follow, and I had no issues installing it on any of my devices.

I'd love more people to know about secureblue, because it is fantastic if you want a secure desktop OS!

top 13 comments

sorted by: hot top controversial new old

[–] chemicalwonka@discuss.tchncs.de 6 points 6 days ago (1 children)

my daily drive distro

[–] JustEnoughDucks@feddit.nl 2 points 6 days ago (2 children)

Do you know if you can still do everything with it? Like atomic already has its own limitations and quirks. I can imagine there are bigger limitations with this.

Like can you install driver-level stuff like tablet drivers, GPU/CPU control, udev rules, etc... I guess I don't really know the implications of the extra hardening.

[–] chemicalwonka@discuss.tchncs.de 3 points 5 days ago

I use secureblue as host for my virtual machines

[–] jamesbunagna@discuss.online 3 points 5 days ago

Not the one you asked, but please allow me give my take on the matter.

Do you know if you can still do everything with it? Like atomic already has its own limitations and quirks. I can imagine there are bigger limitations with this.

Being derived from Fedora Atomic, already comes with its own set of limitations; like being limited in which kernel mods you can make use of (without reinventing the wheel), or how UKI is unsupported or how you should probably create your own image if you want to populate /usr. You can't even install software from any repository; e.g. installing the ProtonVPN RPM has been hit or miss for me.

And, on top of this, secureblue's hardening does (strictly) limit this even further. Most impactful, so far, would be the inability to use sudo or anything like it. Instead, run0 is suggested. I'm 100% sure that run0 is better. However, I've had at least 1 occasion on which the software doesn't know how to properly interact in this setting. Ultimately, I'd have to give the blame on the software that doesn't properly support run0. And, perhaps, you could help address the issue by opening a bug report related to it. But it's definitely something to keep in mind.

Finally, note on first setup you're walked through the many different additional hardening that can be reverted based on your needs. Just be aware of that fact.

Like can you install driver-level stuff like tablet drivers

Maybe. Depends on what exactly it is.

GPU/CPU control

I have.

udev rules

Shouldn't be a problem either.

etc… I guess I don’t really know the implications of the extra hardening.

If you're interested, I suppose the best course of action would be to find a secondary device of yours and setup it to your heart's content with secureblue. Whenever you face a roadblock, consider paying a visit to their discord server for support; they've been a great help so far. If, at some point, you find something you absolutely can't do, then you'd have to make up your mind on what you deem more important. Wish ya the best of luck!

[–] Dropper_Post@lemm.ee 3 points 6 days ago (2 children)

They do not claim to be most secure linux distro on the market but do not say which is. Lol

[–] jamesbunagna@discuss.online 5 points 5 days ago (1 children)

I believe your confusion comes from the following line: "secureblue does not claim to be the most secure option available on the desktop."

Which is simply their acknowledgement that more secure options like Qubes OS exist. Note, however, that Qubes OS is not based on Linux, but instead on Xen.

[–] Dropper_Post@lemm.ee 2 points 5 days ago (1 children)

So it’s like not using linux commands and such?

[–] jamesbunagna@discuss.online 2 points 5 days ago

secureblue absolutely does.

Qubes OS does too. But that's becomes dom0 and most of the qubes you'd interact with are just Linux. But the qube can be based on BSD instead. Heck, you could have it based on Windows even. These qubes are VMs; so you can basically do whatever you want with them. The heavy use of virtualization is exactly what makes Qubes OS as secure as it is.

[–] notanapple@lemm.ee 2 points 5 days ago (1 children)

Probably Qubes OS

[–] Dropper_Post@lemm.ee 2 points 5 days ago (2 children)

I am literally halfway installing qubes os. I had linux mint before.

[–] jamesbunagna@discuss.online 3 points 5 days ago

Going from Linux Mint to Qubes OS could be rough. You're warned ;) .

[–] notanapple@lemm.ee 1 points 5 days ago

Lol good luck but I wouldn't recommend it as your daily os. Qubes is for those who have got a nation state on their back or something like that. For most people, default fedora is more than enough.

(see https://www.privacyguides.org/en/os/qubes-overview/ and https://www.privacyguides.org/en/desktop/)

[–] runtime@lemmy.ml 2 points 6 days ago

Anyone use this for a server? How is it?