Trying Linux for the 9374919th time here. I went for openSuse Tumbleweed this time because Aeon ships with GNOME.
Activated Trusted Boot at install but it didn’t work. Still asking for the drive password at boot instead of autolocking through TPM.
Having to deal with the terminal to harden is a deal breaker for me.
Should I try another distro? I want secure boot and trusted boot out of the box if possible.
Can you link to what ou are specifically referring to as trusted boot, in the context of OpenSUSE/Linux generally?
As to your broader question, some hardening is certainly possible using GUI apps and settings, but any of the more advanced or more bespoke/custom stuff will likely require working with the CLI and/or editing cofnig files manually.
However you chose a distro with pretty strong defaults. Are there specific areas you are looking to lock things down?
A lot of the hardening is done in the BIOS to enable secure boot, prevent BIOS downgrade, etc.
I also remember modifying the GRUB to enable IOMMU Protection and that needs the terminal to not only edit the default GRUB config but also run the command that updates GRUB. I think I’ve seen Fedora have a GRUB editor in its software repository (maybe a flatpak?) in an online guide.
The rest is unfortunately done with fwupdmgr. I guess you can check if there is a GUI for that in GitHub or something.
Overall most of it is doable without the command line interface. But the guides I’ve seen and followed usually involves a terminal along the way, unfortunately. You might actually end up installing more cruft to do the same on a GUI and this makes you follow a longer guide where things can go wrong because it is out of date.
Can you expand on that? What hardening are you referring to with fwupdmgr, or are you referring to keeping firmware and drivers up to date and patched?
From my understanding Fedora doesnt need much hardening beyond the defaults…
If you do want to do extensive hardening, you will probably need to use the terminal at some point. Its not so bad with a bit of practice
You can see where your device is weak against when you run fwupdmgr security. Also yes, you can keep your firmware up to date with this but some vendors do not use this method for some of their consumer motherboards.
You want a HSI:4 but that seems to require specific Intel vPro or Ryzen PRO CPU. So we aim for a HSI:3 level of security for the rest of us.
This screenshot one below has HSI:2
You can also see this Fedora 40 via GNOME Settings >>> Privacy & Security >>> Device Security like this HSI:0 score that I have 
The Brace Toolkit by @SkewedZeppelin also uses the CLI. I’ve yet to try it to harden my install but the video on the Divested.dev page seems to show CLI as well.
If I understood correctly, Trusted Boot is a form of auto unlocking a drive encrypted with luks. This is what I need in addition to secure boot which I already got.
I have an issue with that because to my understanding of trusted boot, you usually use a TPM with it and in the case of a catastrophic motherboard failure, IIRC, you lose the TPM, you also lose the key and therefore will not be able to unlock the computer at all.
This kind of setup only work if you have a NAS (or several other backups) where you sync the files you use in this particular machine with trusted boot so that in the event of a hardware failure the data you have isnt completely lost
With LUKS, can’t you set up a recovery password so that you don’t lose your data if your TPM dies?
Seems like the way to go for me would be having an encrypted home folder instead of the entire partition, then.
I dont know exactly how that works but that sound like it makes sense. I havent set up mine with LUKS TPM because last I checked (I think last year?) it wasnt mature enough for me to make it work easily.
I made some research and people said encrypting only the home folder is useless because there are leaks. I forgot to keep the link to share it here.
Oh well, back to Windows I guess. Thanks, everyone.
I have set up secure boot and was able to make it so that I had to input a pin along with TPM OR just input a long recovery passcode
It looks that the OP likes KDE and want some security features out of the box. Not a specialist but maybe Fedora Kinoite could be an easier adaptation over OpenSuse TB, or maybe Kubuntu.
For hardening I think there are a couple of areas to work:
AppArmor Profiles in case of Kububtu
Please feel free to correct any misguided direction here.
Windows also have this sort of problem if you choose to do full disk encryption. You still have to securely manage keys if you want TPM to manage your BitLocker encryption.
I think is no escape from typing passphrases when it comes full disk encryption. Might as well do it everyday so that you have some muscle memory to type it quickly and memorize random words.
Again, its good enough for issues where theft is a primary threat/concern and that frankly covers most of us normies. “Best protection” is not for everyone because it is a true hassle. The analogy would be putting your daily driver computer in a secure bank vault. Its safe from a lot of threats but not really usable on a day to day basis.
Encrypt the home directory. It is good enough.
Oh well, back to Windows I guess. Thanks, everyone.
Don’t let perfect be the enemy of good.
I think trusted boot means something slightly more specific than that.
If what you want is auto-unlocking an encrypted disk using the TPM that is definitely possible. I don’t know the specific steps or why you are still being asked for a decryption passphrase.
Yes with LUKS it wouldn’t even need to be a recovery method. You get 10 keyslots. It’s possible to set up TPM as the primary method and a password and/or keyfile so you are not dependent on hardware alone. I think that these slots can be ordered so that the automatic methods are tried first and only if they fail does it fall back to passphrase.
I guess I have been spoiled by how good GrapheneOS is out of the box. There’s nothing else as good on a desktop. When my laptop dies, I won’t be replacing it.
I think one nice thing for GrapheneOS is they’ve chosen to take an Apple-like approach of only supporting a very limited/select set of hardware devices., with an operating system (AOSP) that was designed by the same organization who designed (or at least selected) the hardware.
Linux is in a much different position, since almost no consumer hardware is designed with Linux in mind, and Linux is intended to work across a broad range of hardware, there are dozens or more hardware vendors, thousands of configurations, various distros, etc. And really distinct usecases (server, desktop, cloud, iot, even mobile). I imagine all of this considerably increases complexity of add and supporting features that interact with the hardware since there is so much more to consider and support, and so much more that is out of the control of developers. By comparison GOS can just focus on recent models from a single vendor, and a single area/use-case (mobile) which sounds much more manageable.
If you can get a pixel tablet, get one and maybe buy a wired folio style keyboard
