Git-Mirrors/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev.git synced 2025-04-21 15:56:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update content/posts/linux/Desktop-Linux-Hardening.md

Browse Source 
Co-authored-by: WfKe9vLwSvv7rN <96372288+WfKe9vLwSvv7rN@users.noreply.github.com>
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-11-26 05:39:37 -05:00 committed by GitHub
parent a74f34e929
commit f67d80d015
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -428,7 +428,7 @@ For a Fedora Workstation specific guide, you can follow this [blog post](https:/
For Arch Linux is very similar, though `sbctl` is already included in the official Arch Linux repository, and you will need to switch from `mkinitpcio` to `dracut`.
In my opinion, this is most straight forward setup possible with a lot of potential such as integration with [systemd-measure](https://www.freedesktop.org/software/systemd/man/systemd-measure.html) in the future for better verification of the unified kernel image. With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with `ZSYS`, and I need to do more testing to see if I can get them working. Currently Arch Linux with the hardened kernel works well using `sbctl` but some level of tedious `pacman` hooks are required for appropriately timing the resigning of all relevant files every time the kernel or bootloader are updated, which on rolling release distributions can be quite often. Again, [it's hard to achieve a respectable verified boot implementation on traditional Linux](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).
In my opinion, this is the most straight forward setup possible with a lot of potential such as integration with [systemd-measure](https://www.freedesktop.org/software/systemd/man/systemd-measure.html) in the future for better verification of the unified kernel image. With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with `ZSYS`, and I need to do more testing to see if I can get them working. Currently Arch Linux with the hardened kernel works well using `sbctl`, but some level of tedious `pacman` hooks are required for appropriately timing the re&#8209;signing of all relevant files every time the kernel or bootloader are updated (which on rolling release distributions can be quite often). Again, [it's hard to achieve a respectable verified boot implementation on traditional Linux](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).
### Encrypted `/boot`