Hardened operating system images based on Fedora Atomic Desktop and Fedora CoreOS

cross-posted from: https://lemmy.ml/post/26453685

Not many people have heard about secureblue, and I want to spread the word about it. secureblue provides hardened images for Fedora Atomic and CoreOS. It’s an operating system “for those whose first priority is using linux, and second priority is security.”

secureblue provides exploit mitigations and fixes for multiple security holes. This includes the addition of GrapheneOS’s hardened_malloc, their own hardened Chromium-based browser called Trivalent, USBGuard to protect against USB peripheral attacks, and plenty more.

secureblue has definitely matured a lot since I first started using it. Since then, it has become something that could reasonably be used as a daily driver. secureblue recognizes the need for usability alongside security.

If you already have Fedora Atomic (e.g. Secureblue, Kinoite, Sericea, etc.) or CoreOS installed on your system, you can easily rebase to secureblue. The install instructions are really easy to follow, and I had no issues installing it on any of my devices.

I’d love more people to know about secureblue, because it is fantastic if you want a secure desktop OS!

    • jamesbunagna@discuss.online
      5·
      5 months ago

      To add onto what N.E.P.T.R said, it is technically possible to make a custom amalgamation of Bazzite with secureblue’s hardening. However, it would be neither here or there. Some discussion of it can be found here. IIRC, it was ultimately deemed counter-intuitive as a gaming-distro inherently conflicts with a hardened one.

      Finally, we shouldn’t disregard the technical part of this; it’s IIRC one of the reasons why the Bluefin-variants of secureblue were eventually disbanded. It frequently had a lot of interesting bugs that were simply not present on other secureblue-images. This isn’t on Bluefin either, as the non-hardened edition worked as you’d expect.

      • typhoon@lemmy.world
        2·
        4 months ago

        So, in the end, it sounds that is better to use Secureblue as it is since it seems to support quite a lot of the things that Bazzite does. Am I following this right?

        • jamesbunagna@discuss.online
          2·
          4 months ago

          So, in the end, it sounds that is better to use Secureblue as it is

          It ultimately depends on what you wish out of your system. For a general use system, I can’t fathom myself preferring Bazzite over secureblue; simply for how secureblue’s superior security comforts me. However, Bazzite would definitely be preferred on a HTPC/“game-console” device. Ultimately, it depends on what you wish out of your system. As we are talking on /c/privacy, secureblue is definitely the preferred system within that context.

          FWIW, secureblue has also (very recently) been approved by Privacy Guides. They’ve yet to update their recommendations page, though. It will likely be mentioned alongside Kicksecure.

          since it seems to support quite a lot of the things that Bazzite does. Am I following this right?

          Close enough. Usability-wise, it’s pretty smooth sailing after first setup. There are some minor things like how Waydroid works on Bazzite, but doesn’t on secureblue (at least, it didn’t when I tried it the last time). But, aside from those, it’s definitely a very viable daily driver. Just ensure to do a thorough read of their FAQ and Articles.

    • jamesbunagna@discuss.online
      7·
      5 months ago

      I believe your confusion comes from the following line: “secureblue does not claim to be the most secure option available on the desktop.”

      Which is simply their acknowledgement that more secure options like Qubes OS exist. Note, however, that Qubes OS is not based on Linux, but instead on Xen.

        • jamesbunagna@discuss.online
          3·
          5 months ago

          secureblue absolutely does.

          Qubes OS does too. But that’s becomes dom0 and most of the qubes you’d interact with are just Linux. But the qube can be based on BSD instead. Heck, you could have it based on Windows even. These qubes are VMs; so you can basically do whatever you want with them. The heavy use of virtualization is exactly what makes Qubes OS as secure as it is.