I used PopOS, but once they announced they’ll start focusing on their Cosmic desktop, I switched to Fedora KDE it worked to some degree until it crashed and I lost some data, now I’m on Ultramarine GNOME and it doesn’t seem to like my hardware ( fans are spinning fast )

my threat model involves someone trying to physically unlock my device, so I always enable disk encryption, but I wonder why Linux doesn’t support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that’s why I’m considering it rn )

I need something that keeps things updated and adobts newer standards fast ( that’s why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers

Idk what to choose ಥ_ಥ ? the only one that seem to care about using hardware based encryption is Ubuntu, while other distros doesn’t support that… the problem with Ubuntu is there push for snaps ( but that can be avoided by the user )

security heads say: if you care about security, you shouldn’t be using systemd, use something like Gentoo or Alpine… yeah but do you expect me to compile my software after ? hell no

You are viewing a single thread.
View all comments
11 points
*

I always enable disk encryption, but I wonder why Linux doesn’t support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that’s why I’m considering it rn )

There is at least one that, as of recently, offers both out of the box: OpenSUSE Aeon. In fact, TPM-based encryption is now mandatory.

It’s rolling—based on OpenSUSE Tumbleweed—and atomic.

I need something that keeps things updated and adobts newer standards fast ( that’s why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers

This could be another point in Aeon’s favor: it uses a combination of Flatpaks and Distrobox, meaning you can use software from basically any distribution you desire—including from, say, Arch’s AUR.

I’ll warn you ahead of time: Aeon and its developer are very opinionated. It’s basically one person’s idea of what makes “the best desktop Linux system,” and those are Richard’s words, not mine. It is also currently still in the release candidate stage.

permalink
report
reply
5 points
*

In this [default] mode, Aeon will measure all of the following aspects of your systems integrity and store those measurements in your systems TPM:

UEFI Firmware
Secureboot state (enabled or disabled)
Partition Table
Boot loader and drivers
Kernel and initrd (including kernel cmdline parameters)

When your system starts, it will compare the current state to the measurements stored in the TPM.

If they match, your system will boot.

As Default Mode establishes a strong ‘chain of trust’ between a more comprehensive list of key boot components, the use of Secureboot in Default Mode can be considered optional.

As Fallback Mode has no such measurements of boot components, Secureboot should be enabled. Disabling Secureboot in Fallback Mode leaves your system vulnerable to tampering, including attacks which may capture your passphrase when entered.

If secure boot isn’t needed then what’s stopping an attacker from USB booting and changing the tpm parameters or pulling the luks password? Actually what’s stopping an attacker from USB booting even when secure boot is enabled? Or switching the Aeon kernel with one that won’t do the check at all and registering that with secure boot?

A quick Google search says secure boot is not intended to protect against someone with physical access. Then why does it matter in the context of fde at all? Malware running after boot would have access to (most of the) unencrypted filesystem anyways. Edit: and if it has the privileges to modify kernel or boot loader it could do the things I wrote above too

And it’s weird that there isn’t a mode that uses a luks password in combination to the chain of trust. Relying on the user password for protection doesn’t feel very secure since a physical attacker would have more opportunities to see it while the computer is in use than a luks password.

permalink
report
parent
reply

Oh, I never heard of this one before, it certainly meets the criteria, I read the documentation to understand it more

yes, the developer seem very opinionated :|

permalink
report
parent
reply

linux4noobs

!linux4noobs@programming.dev

Create post

linux4noobs


Noob Friendly, Expert Enabling

Whether you’re a seasoned pro or the noobiest of noobs, you’ve found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux’s ongoing evolution.


Seeking Support?
  • Mention your Linux distro and relevant system details.
  • Describe what you’ve tried so far.
  • Share your solution even if you found it yourself.
  • Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
  • Properly format any scripts, code, logs, or error messages.
  • Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.

Community Rules

  • Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
  • Posts must be Linux oriented
  • Spam or affiliate links will not be tolerated.

Community stats

  • 111

    Monthly active users

  • 126

    Posts

  • 487

    Comments

Community moderators