Secureblue - Atomic Fedora Hardening

RoyalOughtness · December 4, 2024, 9:29pm

mitigations=auto,nosmt disables hyperthreading/smt if the cpu is known to be affected by spectre (i.e. requires hyperthreading/smt to be disabled to be secured against spectre/spectrev2).

On newer hardware (both AMD and Intel), both companies have shipped hardware mitigations. The kernel is aware of this, and so it skips nosmt for that hardware if mitigations=auto,nosmt is set. There is a separate nosmt=force karg that can be set to require nosmt regardless of hardware, but secureblue doesn’t set this by default. We set mitigations=auto,nosmt by default, which has different behavior as described above.

Edit, p.s. welcome to the forum btw, good to have you on board

Thanks

Niek-de-Wilde · December 4, 2024, 9:32pm

Got it, thanks for the clarification

But still, wouldn’t disabling SMT still be seen as benificial securitywise, as Spectre is but one of the potentional speculation attacks.

(I even think Openbsd has had it disabled before spectre was a thing because of it?)

RoyalOughtness · December 4, 2024, 9:35pm

But still, wouldn’t disabling SMT still be seen as benificial securitywise, as Spectre is but one of the potentional speculation attacks.

Yes. When the user is setting running the setup tool, they’re prompted to force nosmt and are given an explanation to help them decide:

github.com

secureblue/secureblue/blob/24630450b39a923f720e3f2d9da9087ca7a12147/files/justfiles/kargs.just#L11


      
          # Add additional boot parameters for hardening (requires reboot)
          set-kargs-hardening:
              #!/usr/bin/bash
              read -p "Do you need support for 32-bit processes/syscalls? (This is mostly used by legacy software, with some exceptions, such as Steam) [y/N]: " YES
              if [[ "$YES" == [Yy]* ]]; then
                  echo "Keeping 32-bit support."
              else
                  IAEMU_NO="--append-if-missing=ia32_emulation=0"
                  echo "Disabling 32-bit support, for the next boot."
              fi
              read -p "Do you want to force disable Simultaneous Multithreading (SMT) / Hyperthreading? (This can cause a reduction in the performance of certain tasks in favor of security) (Note that in most hardware SMT will be disabled anyways to mitigate a known vulnerability, this turns it off on all hardware regardless) [y/N]: " YES
              if [[ "$YES" == [Yy]* ]]; then
                  NOSMT_YES="--append-if-missing=nosmt=force"
                  echo "Force disabling SMT/Hyperthreading."
              else
                  echo "Not force disabling SMT/Hyperthreading."
              fi
              read -p "Would you like to set additional (unstable) hardening kargs? (Warning: Setting these kargs may lead to boot issues on some hardware.) [y/N]: " YES
              if [[ "$YES" == [Yy]* ]]; then
              UNSTABLE_YES="--append-if-missing=efi=disable_early_pci_dma \
                  --append-if-missing=debugfs=off"

Even better though is to just disable smt/hyperthreading in the bios

RoyalOughtness · December 13, 2024, 10:40pm

In case folks here are curious about secureblue’s progress, we recently merged our images (userns and no-userns merged) thanks to some SELinux policy improvements we developed. We no longer need to add suid to bwrap, and can remove suid from chromium’s sandbox binary. And at the same time, flatpak and chromium have access to userns ootb. The container domain and the unconfined domain can be separately granted userns permissions if needed via ujust toggles, so folks moving from the userns images can have unconfined domain userns parity if they need it. This improves security for everyone, because it makes the userns permission modular and highly restricted by default, without any use of suid-root.

This is a similar albeit somewhat more restricted ootb approach to what Ubuntu is moving to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

Also, hardened-chromium now will pull widevine via chrome://components, so you no longer need a second browser to watch netflix. Just toggle the protected content setting on in site settings

fria · December 14, 2024, 3:45am

I’m definitely for reevaluating secureblue, I think it’s pretty clear that it’s the superior project over kicksecure at this juncture.

xe3 · December 14, 2024, 4:53am

@RoyalOughtness, I’d be interested to hear more about what Secureblue is to you. I’d also like to know whether you feel SecureBlue (the ‘distro’, but also the project as a whole, the documentation, etc) is in a state where it would be ready to be publicly recommended to a broad audience, including not very technical users in some cases.

Is this a project you feel committed to over the long-term or at least medium-term? Or possibly a short term passion project or uni project that you don’t want to feel any obligation to stay committed to if your interests or priorities change?

I think it has been roughly a year since you initially announced SecureBlue publicly, Which is both a big milestone but at the same time still quite new and young. Because it’s still quite new, and because it feels like it is a project that currently rests solidly on your shoulders, it seems important to have at least some idea what your longer term plans or goals are for the project and yourself. Is this a project you feel there is a reasonable chance you’ll still be committed to a few years down the road?

xe3 · December 14, 2024, 5:45am

I think you are taking my questions in a way I didn’t intend. (and exaggerating some things to a huge degree–nobody is asking for a “letter of intent”).

I just want to hear @RoyalOughtness’s answers in their own words. Nothing more, nothing less. I don’t think that necessitates third party defensiveness/hostility towards what I intended as good faith questions. I just want a clearer idea of how they see their own project, and their relationship to it. I don’t think that’s an unreasonable ask.

RoyalOughtness · December 14, 2024, 8:57am

what Secureblue is to you

It’s my daily driver Aside from that, you’ll have to be more specific

including not very technical users in some cases

This is a rather strange question. I wouldn’t consider desktop linux in general to be recommendable to non-technical users, regardless of distro/image/etc. So again you’ll have to be more specific.

On top of that, the reason secureblue (and any other hardened version of an existing desktop linux system) would need to exist in the first place, is because the changes made will necessarily break someone’s use case by default. Otherwise, secureblue could just submit all of our changes upstream to Fedora. Take appimage support as an example. Appimages depend on the suid-root, deprecated, unmaintained fuse2 interface. They also encourage users to follow the security antipattern of downloading and executing binaries from the browser. Yet, since Appimages are widely used, Fedora can’t remove support for them. secureblue is willing to do so for security reasons, by default, with mechanisms for reenabling broken use cases.

So, asking about “non technical users” in the context of a hardened system is a bit of an oxymoron, definitionally. The only reason a hardened version of an existing desktop linux system would need to exist is if the hardening wasn’t upstreamable for usability reasons. When I hear “not very technical users”, I think users who wouldn’t be using desktop linux to begin with, let alone fixing their specific use cases that are deliberately broken ootb by following docs and flipping toggles.

(ujust --choose TUI, showing the available toggles and commands)

feel committed to

yes

short term passion project or uni project

no, secureblue was initially created because I wanted a hardened daily driver built with Fedora Atomic’s bootable OCI container image tooling. Expanding the project and bringing in new contributors has gotten it to a place I wouldn’t have been able to on my own, so it’s a win-win. I still need a hardened daily driver and don’t see any reason why that would change, so I still need secureblue

at the same time still quite new

secureblue has benefitted massively by not being a distro, and instead shipping as bootable OCI container images. This has meant a ton of overhead is taken care of for us by Fedora. We don’t need general repos or packaging, except for a handful of specific packages (hardened-chromium, hardened_malloc, etc). The Fedora Atomic ecosystem is also rich in tooling and automation (see: Blue-Build), plus the backdrop of robust container technology that already exists. All of this has largely enabled us to focus our energy on the hardening, and not waste time doing manual maintenance.

We’ve heavily put effort towards automation. Like I mentioned earlier, Rootkit404 built out a multi-step automation pipeline for hardened-chromium, caching the cleaned chromium sources in an rpm that’s then ingested by the primary builder. All of this can be triggered via webhooks on a schedule from github actions. We even automatically pull the chromium version from google during the build so we don’t need to bump it manually. And of course, secureblue builds daily, automatically. My point being that when it comes to “doing work on the project”, that largely means making the images even more hardened than they already are. Our maintenance is largely automated with low manual overhead. Our automation is almost thorough enough that if every secureblue contributor took a three month haitus from secureblue, builds would keep flowing and users wouldn’t even notice. Not that I’m planning on doing that, I’m just emphasizing that given how automated the project is, long-term maintenance for the project is actually not a significant commitment, and I see no reason why I wouldn’t be doing that long term. Same goes for long term development (working on improving the hardening), but of course that’s a more significant commitment and so my time invested into it will wax and wane month to month, as it has been already.

currently rests solidly on your shoulders

This is largely no longer accurate. Look at the pull request history for secureblue and hardened-chromium We have a half dozen or more regular contributors. There’s also another contributor who is working on building us a website forked from GrapheneOS’s, and I’m not even involved in that work. Don’t mistake the BDFL model for a one man show

dngray · December 20, 2024, 8:42am

This.

I’ve always said a custom ostree is really the correct way to do a distribution with minor changes (as in things not interfering with say what version of glibc is used etc) as opposed to having to manage everything yourself.

As this project has almost been around for a year now, I would be willing to reconsider evaluation.

Niek-de-Wilde · December 20, 2024, 9:22am

As we are seemingly all aboard to re evaluate SecureBlue, I have removed the rejected flag.

Niek-de-Wilde · December 22, 2024, 9:34am

Well I don’t have any current obvious blockers, but I would like to download it and give it a spin somewhere next week to get a feel for it.

jerm · December 22, 2024, 4:07pm

hey @RoyalOughtness , I see that you removed passim, which is great when I asked about it here.

Secureblue have most of the relevant configs by brace?

RoyalOughtness · December 22, 2024, 10:28pm

Just a heads up, we’re (mainly @esselownitro) currently working on a website and polishing up all the docs as part of that move. Stay tuned

RoyalOughtness · December 22, 2024, 11:03pm

Secureblue have most of the relevant configs by brace?

Like I’ve said before, I’ll keep my thoughts on other FOSS projects to a minimum because I don’t like commenting on work that people have put lots of volunteer effort into, especially on a public forum.

You’ll have to be more specific though, in some cases the question doesn’t make sense. Also, your question is a mischaracterization somewhat because it implies that the core of secureblue’s value-add and hardening come from “config”. For example, some of what Brace does like configure Fedora’s chromium via policies is stuff we do in code GitHub - secureblue/hardened-chromium: A hardened chromium for desktop Linux inspired by Vanadium., and building our own browser lets us do far more than is possible via chromium policies.

In general though, sysctl/modprobe/karg config is the tippy top of the hardening iceberg. You’re welcome to compare secureblue’s config to other projects, but it’s not a good barometer for a system’s relative hardening.

If you want to compare systems, you’re better off running these kinds of tests against them:

We’ve already set up automated trivy scans in github actions, and one of our contributors is working on building a VM integration testing pipeline in github actions using qemu [DEV] Add integration testing · Issue #378 · secureblue/secureblue · GitHub This will let us not only run UX and integration tests of the installation process and core functionality, but will let us have automatic daily openscap scans

IksNorTen · December 23, 2024, 7:57am

Hello, I actually have Fedora 41 and I’m new to it. Would you recommend SecureBlue instead of it ?

Niek-de-Wilde · December 23, 2024, 2:23pm

Thank you for the update. As on my side, I am as we speak installing silverblue

overdrawn98901 · December 23, 2024, 6:56pm

I’m actually of thinking to do the exact same thing, but do so with Sway Atomic. I wonder, @RoyalOughtness, apologies for the naieve question, but is Secureblue agnostic to the variant of Fedora I choose (and with that the wm that comes with it)?

RoyalOughtness · December 23, 2024, 10:27pm

variant of Fedora I choose (and with that the wm that comes with it)?

Installing secureblue fully replaces the existing system. I personally rebase between secureblue images frequently, mainly for development reasons The ISO you choose only matters in the sense that going between DEs can leave some dotfiles mess in your ~/.config.

Other than that, it’s not terribly important. You can install secureblue-silverblue from a sericea ISO and vice versa.

with Sway Atomic.

github.com

secureblue/secureblue/blob/9727c488e9d235fc22294a006d38be540cf47eb8/docs/RECOMMENDED.md

> [!NOTE]
> This is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.

GNOME is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It's primarily for this reason that GNOME images are recommended. KDE has [plans](https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/issues/7) to fix this.

GNOME also provides [thumbnailer sandboxing](https://gitlab.gnome.org/GNOME/gnome-desktop/-/issues/213) in Gnome Files, which mitigates attacks [via thumbnailers](https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html).

GNOME is recommended. Hopefully this recommendation will be expanded in the future, but other DEs/WMs leave privileged wayland protocols wide open , which renders them unacceptable for recommendation.

RoyalOughtness · December 23, 2024, 10:28pm

If security is your priority

anon94009837 · December 23, 2024, 10:35pm

Do I need to verify the Fedora Silverblue image before installing secureblue or does secureblue have checks in place to ensure the installation is authentic?

Topic		Replies	Views
Kicksecure vs Secureblue? Questions	10	181	December 28, 2024
How do I download Secureblue? Questions	5	75	March 13, 2024
Hardened-chromium is now Trivalent! General software	14	2574	April 11, 2025
Thoughts on Universal Blue (Bluefin, Bazzite, Aurora) General	22	4021	February 5, 2025
Brave vs Trivalent Security Questions	22	1059	March 27, 2025

Secureblue - Atomic Fedora Hardening

Related topics