From f67d80d015d7d618326c3f40408bcc955e5daa2f Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 26 Nov 2022 05:39:37 -0500 Subject: [PATCH] Update content/posts/linux/Desktop-Linux-Hardening.md Co-authored-by: WfKe9vLwSvv7rN <96372288+WfKe9vLwSvv7rN@users.noreply.github.com> Signed-off-by: Tommy --- content/posts/linux/Desktop-Linux-Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md index aa2c7c9..61d8089 100644 --- a/content/posts/linux/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -428,7 +428,7 @@ For a Fedora Workstation specific guide, you can follow this [blog post](https:/ For Arch Linux is very similar, though `sbctl` is already included in the official Arch Linux repository, and you will need to switch from `mkinitpcio` to `dracut`. -In my opinion, this is most straight forward setup possible with a lot of potential such as integration with [systemd-measure](https://www.freedesktop.org/software/systemd/man/systemd-measure.html) in the future for better verification of the unified kernel image. With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with `ZSYS`, and I need to do more testing to see if I can get them working. Currently Arch Linux with the hardened kernel works well using `sbctl` but some level of tedious `pacman` hooks are required for appropriately timing the resigning of all relevant files every time the kernel or bootloader are updated, which on rolling release distributions can be quite often. Again, [it's hard to achieve a respectable verified boot implementation on traditional Linux](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot). +In my opinion, this is the most straight forward setup possible with a lot of potential such as integration with [systemd-measure](https://www.freedesktop.org/software/systemd/man/systemd-measure.html) in the future for better verification of the unified kernel image. With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with `ZSYS`, and I need to do more testing to see if I can get them working. Currently Arch Linux with the hardened kernel works well using `sbctl`, but some level of tedious `pacman` hooks are required for appropriately timing the re‑signing of all relevant files every time the kernel or bootloader are updated (which on rolling release distributions can be quite often). Again, [it's hard to achieve a respectable verified boot implementation on traditional Linux](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot). ### Encrypted `/boot`