linux4noobs

1379 readers

1 users here now

linux4noobs

Noob Friendly, Expert Enabling

Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.

Seeking Support?

Mention your Linux distro and relevant system details.
Describe what you've tried so far.
Share your solution even if you found it yourself.
Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
Properly format any scripts, code, logs, or error messages.
Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.

Community Rules

Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
Posts must be Linux oriented
Spam or affiliate links will not be tolerated.

founded 1 year ago

MODERATORS

PlutoParty

after 4 years of Linux I'm still lost.. (feddit.org)

submitted 3 months ago by [email protected] to c/linux4noobs

31 comments fedilink hide all child comments

I used PopOS, but once they announced they'll start focusing on their Cosmic desktop, I switched to Fedora KDE it worked to some degree until it crashed and I lost some data, now I'm on Ultramarine GNOME and it doesn't seem to like my hardware ( fans are spinning fast )

my threat model involves someone trying to physically unlock my device, so I always enable disk encryption, but I wonder why Linux doesn't support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that's why I'm considering it rn )

I need something that keeps things updated and adobts newer standards fast ( that's why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers

Idk what to choose ಥ_ಥ ? the only one that seem to care about using hardware based encryption is Ubuntu, while other distros doesn't support that.. the problem with Ubuntu is there push for snaps ( but that can be avoided by the user )

security heads say: if you care about security, you shouldn't be using systemd, use something like Gentoo or Alpine.. yeah but do you expect me to compile my software after ? hell no

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 14 points 3 months ago (9 children)

K, so I'm probably oversimplifying, but almost all distros should allow you to at least encrypt /home, and although I haven't tried it myself yet, whole-disk encryption via UEFI is possible. You say your threat model is only someone trying to unlock your device, but it sounds as if you're not worried about espionage - someone gaining access to your computer and replacing the /efi boot process with something that will harvest your password when you log in. If all you're worried about is seizure and data protection, why isn't disk encryption sufficient?

If you really feel like you need TPM, Arch supports it, which means other distros do, too. Although, figuring it out for, e.g., Ubuntu of something you'll have to research; the Arch wiki is the most fantastic source of Linux documentation on the web, and much (but not all) of it can help with other distros.

I may be completely misunderstanding what problem you're encountering, but (a) disk encryption is trivial to set up on both Mint and EndeavorOS installers (the two I've used most recently), and (b) TPM certainly seems possible from the Arch wiki.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (8 children)

Idk if FDE is enough, what if the attacker can modify the boot code to capture the decryption keys and other stored passwords ? as far as I know this is exactly what secure boot protects against, it checks the validity of the boot code using the TPM chip, if it's already there, why don't most distros use it ? instead you'll see that secure boot is greyed out in the Bios ( which means it's not supported )

and yes, I did lock down the Bios too, with a different password

Edit: I'll check EndevourOS documentation, Mint is cool but it doesn't adobt newer standards or newer kernels ( newer kernels are just much more secure )

[–] th3raid0r 2 points 3 months ago* (last edited 3 months ago) (1 children)

This sounds like a lenovo machine. Or something with a similar MOK enrollment process.

I forget the exact process, but I recall needing to reset the secureboot keys in "install mode" or something, then it would allow me to perform the MOK enrollment. If secureboot is greyed out in the BIOS it is never linux's fault. That's a manufacturer issue.

Apparently, some models of Lenovo don't even enable MOK enrolment and lock it down entirely. Meaning that you'd need to sign with Microsofts keys, not your own. The only way to do this is to be a high-up microsoft employee OR use a pre-provided SHIM from the distribution.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader

For that case, Ubuntu and Fedora are better because, per the Ubuntu documentation they do this by default.

On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.

Once you have secureboot working on Ubuntu or Fedora, you could likely follow these steps to enable TPM+PIN - https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

There might be some differences as far as kernel module loading and ensuring you're using the right tooling for your distro, but most importantly, the bones of the process are the same.

OH! And if you aren't getting the secureboot option in the installer UI, that could be due to booting the install media in "legacy" or "MBR" mode. Gotta ensure it's in UEFI mode.

EDIT: One more important bit, you'll need to be using the latest nvidia drivers with the nvidia-open modules. Otherwise you'll need to additionally sign your driver blobs and taint your kernel. Nvidia-Open is finally "default" as of the latest driver, but this might differ on a per-distro basis.

[–] [email protected] 2 points 3 months ago

Thank you, this answer covers it all :D

load more comments (6 replies)