Hi, I’m in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

I’m running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I’m 100% sure I don’t need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

I’m planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

What are other ways I can make my laptop more secure?

    • GravitySpoiled@lemmy.mlEnglish
      0·
      9 months ago

      Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.

      Now I know why I didn’t bother with selinux back when I used arch. I never had any issues with it on fedora.

  • bodaciousFern@lemmy.dbzer0.com
    0·
    9 months ago

    50 minutes seems way too long - I run Gentoo on a 2nd gen i5 and my kernel compile is always under 20 minutes.

    You are using make -j4 or make -j(number of CPU cores) for parallel compile, right?

    • chevy9294@monero.townOPEnglish
      0·
      9 months ago

      On laptop with Ryzen 5 5500U (12 threads) it takes 50 minutes and on desktop with Ryzen 7 3700X (16 threads) it takes 20 minutes. I use all threads to compile the kernel.

      It compiles way waster with Gentoo, because it has minimal config. I used the default config from Arch repos and modified it. It’s full of unneeded drivers, but I’m scared of disabling them. I already disabled wrong drivers a few times and had to use different kernel to boot.

  • scratchandgame@lemmy.mlTiếng Việt
    0·
    9 months ago

    (arch still use systemd)

    and linux still not have base system software sandboxed (you can’t enforce)

    Currently it takes ~50 minutes to recompile the kernel

    try make with -j

  • vatson112@lemm.ee
    0·
    9 months ago

    There are also some kernel settings that you may find useful. Currently I am on the mobile and cannot remember the names. Text me if you need help

    Network:

    Enable rp and arp filter

    Disable IP forwarding if you don’t use docker

    Disable tcp timestamp

    Disable icmp broadcast

    Enable syncookies

    Enable source route checking

    Other:

    Enable hard and soft link protection (it is may broke your system, use carefully)

    Enable kptr restrict

    Disable kexec

    Disable sysrq

    Enable randomize virtual memory address

    Disable JIT for ebpf programms

    Disable loading drivers via modprobe in live kernel.

    Also check which hardware mitigations is disabled in your kernel. (Spectre, meltdawn) You may enable KASL

    Also use selinux or apparmor. I prefer Selinux.

    Enable auditd and configure it for auditing actions that your find useful.

    • chevy9294@monero.townOPEnglish
      0·
      9 months ago

      Thank you for the list! Do you maybe know where can I find explanations what does each option do? I know only half of them and I already use some of them.

  • Pantherina@feddit.de
    0·
    9 months ago

    Look at secureblue for more things

    • hardened malloc (preloading is somewhat complex for flatpaks)
    • maybe more kargs

    That custom kernel sounds very cool. Not sure if replacing it works on Fedora Atomic, would be very much needed

    SELinux confined users is also very important, SELinux is kinda contradictory to flatpak though, as they do the same things often and Flatpaks often dont work because they are not built for it.

      • Pantherina@feddit.de
        0·
        9 months ago

        Same. It works really well, I am doing some kind of project building a hardened Firefox. It has hardened build parameters, removed jemalloc (so it uses hardened_malloc, otherwise it fails to start with memory issues), and I also experiment with various optimization flags as I have a x86_64-v4 intel CPU.

        This repo is also interesting.

        Secureblue has Chromium preinstalled with a hardening and also privacy policy, but I used googerteller and damn that thing pings Google every second, its scary.

        • chevy9294@monero.townOPEnglish
          0·
          9 months ago

          Now I’ve installed it and Librewolf works nornally. Is that normal or is malloc not working or is Librewolf compiled with hardened malloc?

          I’ve heard about googerteller and I never thought someone will use it (except to try it)

          • Pantherina@feddit.de
            0·
            9 months ago

            Librewolf uses jemalloc and I have no idea but Flatpak browsers are not broken.

            I also asked Fedora people and Fedora Firefox also allows replacing the malloc, but as the package is already removed from the image you cant normally install it back.

            Yup, googerteller is damn scary. Chromium contacts Google when opening the profile picker, loading the addons, listing saved passwords