linux4noobs @programming.dev ᥫ᭡ 𐑖ミꪜᴵ𝔦 ᥫ᭡ @feddit.org 3 mo. ago

after 4 years of Linux I'm still lost..

I used PopOS, but once they announced they'll start focusing on their Cosmic desktop, I switched to Fedora KDE it worked to some degree until it crashed and I lost some data, now I'm on Ultramarine GNOME and it doesn't seem to like my hardware ( fans are spinning fast )

my threat model involves someone trying to physically unlock my device, so I always enable disk encryption, but I wonder why Linux doesn't support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that's why I'm considering it rn )

I need something that keeps things updated and adobts newer standards fast ( that's why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers

Idk what to choose ಥ_ಥ ? the only one that seem to care about using hardware based encryption is Ubuntu, while other distros doesn't support that.. the problem with Ubuntu is there push for snaps ( but that can be avoided by the user )

security heads say: if you care about security, you shouldn't be using systemd, use something like Gentoo or Alpine.. yeah but do you expect me to compile my software after ? hell no

31 comments

security heads say: if you care about security, you shouldn’t be using systemd

Yah, ignore that bullshit.
- Yeah, no kidding. The same systemd that enables the very things OP is trying to enable...
  
  systemdboot + sbctl + systemd-cryptenroll and voila. TPM backed disk encryption with a PIN or FIDO2 token.
  
  AFAIK this should be doable in Ubuntu, it just requires some command-line-fu.
  
  Last I heard the Fedora installer was aiming to better support this type of thing - not so sure about Ubuntu.
K, so I'm probably oversimplifying, but almost all distros should allow you to at least encrypt /home, and although I haven't tried it myself yet, whole-disk encryption via UEFI is possible. You say your threat model is only someone trying to unlock your device, but it sounds as if you're not worried about espionage - someone gaining access to your computer and replacing the /efi boot process with something that will harvest your password when you log in. If all you're worried about is seizure and data protection, why isn't disk encryption sufficient?

If you really feel like you need TPM, Arch supports it, which means other distros do, too. Although, figuring it out for, e.g., Ubuntu of something you'll have to research; the Arch wiki is the most fantastic source of Linux documentation on the web, and much (but not all) of it can help with other distros.

I may be completely misunderstanding what problem you're encountering, but (a) disk encryption is trivial to set up on both Mint and EndeavorOS installers (the two I've used most recently), and (b) TPM certainly seems possible from the Arch wiki.
- Idk if FDE is enough, what if the attacker can modify the boot code to capture the decryption keys and other stored passwords ? as far as I know this is exactly what secure boot protects against, it checks the validity of the boot code using the TPM chip, if it's already there, why don't most distros use it ? instead you'll see that secure boot is greyed out in the Bios ( which means it's not supported )
  
  and yes, I did lock down the Bios too, with a different password
  
  Edit: I'll check EndevourOS documentation, Mint is cool but it doesn't adobt newer standards or newer kernels ( newer kernels are just much more secure )
  
  This sounds like a lenovo machine. Or something with a similar MOK enrollment process.
  
  I forget the exact process, but I recall needing to reset the secureboot keys in "install mode" or something, then it would allow me to perform the MOK enrollment. If secureboot is greyed out in the BIOS it is never linux's fault. That's a manufacturer issue.
  
  Apparently, some models of Lenovo don't even enable MOK enrolment and lock it down entirely. Meaning that you'd need to sign with Microsofts keys, not your own. The only way to do this is to be a high-up microsoft employee OR use a pre-provided SHIM from the distribution.
  
  https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader
  
  For that case, Ubuntu and Fedora are better because, per the Ubuntu documentation they do this by default.
  
  On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.
  
  Once you have secureboot working on Ubuntu or Fedora, you could likely follow these steps to enable TPM+PIN - https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
  
  There might be some differences as far as kernel module loading and ensuring you're using the right tooling for your distro, but most importantly, the bones of the process are the same.
  
  OH! And if you aren't getting the secureboot option in the installer UI, that could be due to booting the install media in "legacy" or "MBR" mode. Gotta ensure it's in UEFI mode.
  
  EDIT: One more important bit, you'll need to be using the latest nvidia drivers with the nvidia-open modules. Otherwise you'll need to additionally sign your driver blobs and taint your kernel. Nvidia-Open is finally "default" as of the latest driver, but this might differ on a per-distro basis.
  
  I was going off what you said:
  
  my threat model involves someone trying to physically unlock my device
  
  This doesn't sound to me as if you're concerned about espionage - repeated, covert, root access to your computer, for the purpose of installing software to capture your keys, so that they can steal your computer and have complete access. If someone has remote root access to your computer, you're fucked, TPM or not; they'll just read what they want whenever you're logged in and using your computer.
  
  TPM is for when you might not have secured physical access to your computer. Like, you're worried the NSA is going to sneak into your house while you're out shopping, pull your HD, replace the boot loader, and re-install it before you get home.
  
  If you're only worried about, say, losing a laptop, or a search & seizure at your house, an encrypted HD is good enough. TPM and a keylocked BIOS are belts-and-suspenders, but if they want to get at the data they'll just pull the HD and run code-breaking software on it on and entirely different super-computer. TPM won't help you at all in that case.
  
  Honestly, TPM is for a specific threat mode, which is much more like ongoing espionage, than simple opportunity theft. Your stated use case sounds more like the latter than the former.
I always enable disk encryption, but I wonder why Linux doesn't support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that's why I'm considering it rn )

There is at least one that, as of recently, offers both out of the box: OpenSUSE Aeon. In fact, TPM-based encryption is now mandatory.

It's rolling—based on OpenSUSE Tumbleweed—and atomic.

I need something that keeps things updated and adobts newer standards fast ( that's why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers

This could be another point in Aeon's favor: it uses a combination of Flatpaks and Distrobox, meaning you can use software from basically any distribution you desire—including from, say, Arch's AUR.

I'll warn you ahead of time: Aeon and its developer are very opinionated. It's basically one person's idea of what makes "the best desktop Linux system," and those are Richard's words, not mine. It is also currently still in the release candidate stage.
- In this [default] mode, Aeon will measure all of the following aspects of your systems integrity and store those measurements in your systems TPM:
  
  UEFI Firmware
  Secureboot state (enabled or disabled)
  Partition Table
  Boot loader and drivers
  Kernel and initrd (including kernel cmdline parameters)
  
  When your system starts, it will compare the current state to the measurements stored in the TPM.
  
  If they match, your system will boot.
  
  As Default Mode establishes a strong 'chain of trust' between a more comprehensive list of key boot components, the use of Secureboot in Default Mode can be considered optional.
  
  As Fallback Mode has no such measurements of boot components, Secureboot should be enabled. Disabling Secureboot in Fallback Mode leaves your system vulnerable to tampering, including attacks which may capture your passphrase when entered.
  
  If secure boot isn't needed then what's stopping an attacker from USB booting and changing the tpm parameters or pulling the luks password? Actually what's stopping an attacker from USB booting even when secure boot is enabled? Or switching the Aeon kernel with one that won't do the check at all and registering that with secure boot?
  
  A quick Google search says secure boot is not intended to protect against someone with physical access. Then why does it matter in the context of fde at all? Malware running after boot would have access to (most of the) unencrypted filesystem anyways. Edit: and if it has the privileges to modify kernel or boot loader it could do the things I wrote above too
  
  And it's weird that there isn't a mode that uses a luks password in combination to the chain of trust. Relying on the user password for protection doesn't feel very secure since a physical attacker would have more opportunities to see it while the computer is in use than a luks password.
- Oh, I never heard of this one before, it certainly meets the criteria, I read the documentation to understand it more
  
  yes, the developer seem very opinionated :|
You should take a look at linux mint. I recently setup linux mint on a laptop, and it asked me to enroll a mok so that secure boot works with extra media codecs. On my pc i also installed the nvidia drivers pretty easily. Also mint is a ubuntu derivate, but snaps are disabled by default. Its not as fast as rolling release distros, but if you install the lastest mint version, you get the packages of the latest ubuntu lts version.
Dude, you're not lost. You have highly specialized requirements that the vast majority of people don't have so most people won't be able to help. But you definitely are ahead of the average Linux user here.

I'm one of the people that can't help you, but it looks like some others here have good suggestions
- I'm not sure hardware-based full disk encryption counts as a "highly specialized requirement". It's enabled by default on Android, iOS, Mac and even Windows usually. It's a basic requirement for businesses.
  
  even Windows usually
  
  citation needed
TPMs can be extracted with physical access

You could use a security key
- TPMs can be extracted with physical access
  
  Sure, but IIRC, they'd still need my PIN (for TPM+PIN through cryptenroll). I don't think it's possible to do TPM backed encryption without a PIN on Linux.
  
  EDIT: Oh wait, you can... Why anyone would is beyond me though.
Arch Linux is a good choice. You can do most of everything you mention, only downside is you will have to set it up yourself. Provided you read the Arch Wiki, it should not be a difficult task.
- Arch now also has a convenient install script, that does all the heavy lifting. It's an easy-to-use terminal interface, and basically works like any other OS installer.
I recently installed Bazzite, which is based on fedora. And it can come with Nvidia drivers, and kde. Pretty smooth in all honesty, but it is gaming focused so comes with some gaming stuff preinstalled
@LEVI TPM is f'n annoying. Remember when back in the day the Free Software movement was actually about sharing everything, including getting people to not use passwords.
Listening to this podcast might be helpful along with the links in the show notes: https://linuxunplugged.com/572

Here's another option: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

I found these on a hacker news comment: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
use something like Gentoo or Alpine… yeah but do you expect me to compile my software after ? hell no

There are more systemd-free distros like Artix Linux (which is just Arch without systemd), Devuan (which is the same thing but for Debian) and Void Linux. Btw Alpine doesn't require you to compile anything.
- I heard from people who have tried both Void and Alpine, that Void is much more easier to use as a desktop OS while Alpine is more suited as a server OS..
  
  I agree, I primarily use Alpine on servers myself
Pop!_OS still gets security updates, even with their being more focus on the Cosmic Desktop. If it worked for you in the beginning, I’d stick with it — I used it as my first distro as well.

You've viewed 31 comments.