scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-06 13:27:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add back yafti and include various new steps, including kernel and flatpak hardening automation

Browse Source
This commit is contained in:
qoijjj
2023-11-30 21:13:11 -08:00
parent 719016a526
commit f559a983f7
7 changed files with 53 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -80,14 +80,9 @@ To rebase an existing Silverblue/Kinoite installation to the latest build:
``` ```
systemctl reboot systemctl reboot
``` ```
### Post-install ### Post-install
The following command is available to append kernel boot parameters that apply additional hardening (reboot required):
```
just set-kargs-hardening
```
#### Nvidia #### Nvidia
If you are using an nvidia image, run this after installation: If you are using an nvidia image, run this after installation:

107
config/files/usr/share/ublue-os/firstboot/yafti.yml
View File

@@ -1,37 +1,45 @@
title: Welcome to uBlue title: Welcome to secureblue!
properties: properties:
mode: "run-on-change" mode: "run-on-change"
screens: screens:
first-screen: first-screen:
source: yafti.screen.title source: yafti.screen.title
values: values:
title: "Welcome to uBlue (Alpha)" title: "Welcome to secureblue!"
icon: "/path/to/icon" icon: "/path/to/icon"
description: | description: |
This guided installer will help you get started with your new system. This guided installer will help you get started with your new system.
can-we-harden-your-kargs:
source: yafti.screen.consent
values:
title: Kernel hardening
description: |
This step will enable additional kernel hardening. You must run this manually, since it requires sudo. Run "just set-kargs-hardening" in a terminal, then click accept.
actions:
- run: just set-kargs-hardening
can-we-harden-your-flatpaks:
source: yafti.screen.consent
values:
title: Flatpak hardening
description: |
This step will enable hardening for installed flatpaks.
actions:
- run: flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
can-we-modify-your-flatpaks: can-we-modify-your-flatpaks:
source: yafti.screen.consent source: yafti.screen.consent
values: values:
title: Welcome, Traveler! title: Flathub setup
condition:
run: flatpak remotes --columns=name | grep fedora
description: | description: |
We have detected the limited, Fedora-provided Flatpak remote on your system, whose applications are usually missing important codecs and other features. This step will therefore remove all basic Fedora Flatpaks from your system! We will instead switch all core Flatpak applications over to the vastly superior, unfiltered Flathub. If you don't want to do this, simply exit this installer. This step will therefore remove all basic Fedora Flatpaks from your system and replace it with Flathub's verified repository. It will also disable the system flatpaks in favor of user flatpaks.
actions: actions:
- run: flatpak remote-delete --system --force fedora - run: flatpak remote-delete --system --force fedora
- run: flatpak remote-delete --user --force fedora - run: flatpak remote-delete --user --force fedora
- run: flatpak remove --system --noninteractive --all - run: flatpak remove --system --noninteractive --all
- run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo - run: flatpak remote-add --if-not-exists --user --subset=verified flathub-verified https://flathub.org/repo/flathub.flatpakrepo
check-user-flathub:
source: yafti.screen.consent
values:
title: Missing Flathub Repository (User)
condition:
run: flatpak remotes --user --columns=name | grep flathub | wc -l | grep '^0$'
description: |
We have detected that you don't have Flathub's repository on your current user account. We will now add that repository to your account.
actions:
- run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo
applications: applications:
source: yafti.screen.package source: yafti.screen.package
values: values:
@@ -39,8 +47,8 @@ screens:
show_terminal: true show_terminal: true
package_manager: yafti.plugin.flatpak package_manager: yafti.plugin.flatpak
package_manager_defaults: package_manager_defaults:
user: false user: true
system: true system: false
groups: groups:
Core GNOME Apps: Core GNOME Apps:
description: Core system applications for the GNOME desktop environment. description: Core system applications for the GNOME desktop environment.
@@ -66,55 +74,18 @@ screens:
- Text Editor: org.gnome.TextEditor - Text Editor: org.gnome.TextEditor
- Videos (Player): org.gnome.Totem - Videos (Player): org.gnome.Totem
- Weather: org.gnome.Weather - Weather: org.gnome.Weather
Core KDE Plasma Apps:
description: Core system applications for the KDE Plasma desktop environment.
default: false
packages:
- Gwenview: org.kde.gwenview
System Apps: System Apps:
description: System applications for all desktop environments. description: System applications for all desktop environments.
default: false default: true
packages: packages:
- Deja Dup Backups: org.gnome.DejaDup
- Fedora Media Writer: org.fedoraproject.MediaWriter
- Flatseal (Permission Manager): com.github.tchx84.Flatseal - Flatseal (Permission Manager): com.github.tchx84.Flatseal
- Font Downloader: org.gustavoperedo.FontDownloader
- Mozilla Firefox: org.mozilla.firefox
Web Browsers:
description: Additional browsers to complement or replace Firefox.
default: false
packages:
- Brave: com.brave.Browser
- GNOME Web: org.gnome.Epiphany
- Google Chrome: com.google.Chrome
- Microsoft Edge: com.microsoft.Edge
- Opera: com.opera.Opera
Gaming:
description: "Rock and Stone!"
default: false
packages:
- Bottles: com.usebottles.bottles
- Discord: com.discordapp.Discord
- Heroic Games Launcher: com.heroicgameslauncher.hgl
- Steam: com.valvesoftware.Steam
- Gamescope (Utility): org.freedesktop.Platform.VulkanLayer.gamescope
- MangoHUD (Utility): org.freedesktop.Platform.VulkanLayer.MangoHud//22.08
- SteamTinkerLaunch (Utility): com.valvesoftware.Steam.Utility.steamtinkerlaunch
- Proton Updater for Steam: net.davidotek.pupgui2
Office:
description: Boost your productivity.
default: false
packages:
- LibreOffice: org.libreoffice.LibreOffice
- OnlyOffice: org.onlyoffice.desktopeditors
- Obsidian: md.obsidian.Obsidian
- Slack: com.slack.Slack
- Standard Notes: org.standardnotes.standardnotes
- Thunderbird Email: org.mozilla.Thunderbird
Streaming:
description: Stream to the Internet.
default: false
packages:
- OBS Studio: com.obsproject.Studio
- VkCapture for OBS: com.obsproject.Studio.OBSVkCapture
- Gstreamer for OBS: com.obsproject.Studio.Plugin.Gstreamer
- Gstreamer VAAPI for OBS: com.obsproject.Studio.Plugin.GStreamerVaapi
- Boatswain for Streamdeck: com.feaneron.Boatswain
final-screen: final-screen:
source: yafti.screen.title source: yafti.screen.title
@@ -122,11 +93,7 @@ screens:
title: "All done!" title: "All done!"
icon: "/path/to/icon" icon: "/path/to/icon"
links: links:
- "Install More Applications":
run: /usr/bin/gnome-software
- "Website": - "Website":
run: /usr/bin/xdg-open https://ublue.it run: /usr/bin/xdg-open https://github.com/secureblue/secureblue
- "Join the Discord Community":
run: /usr/bin/xdg-open https://discord.gg/XjG48C7VHx
description: | description: |
Thanks for trying uBlue, we hope you enjoy it! Thanks for trying secureblue, we hope you enjoy it!

3
config/files/usr/share/ublue-os/just/60-custom.just
View File

@@ -3,3 +3,6 @@
# Add additional boot parameters for hardening (requires reboot) # Add additional boot parameters for hardening (requires reboot)
set-kargs-hardening: set-kargs-hardening:
rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="efi=disable_early_pci_dma" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="nvme_core.default_ps_max_latency_us=0" --append="mitigations=auto,nosmt" rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="efi=disable_early_pci_dma" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="nvme_core.default_ps_max_latency_us=0" --append="mitigations=auto,nosmt"
harden-flatpak:
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so

2
config/recipe-kinoite-main.yml
View File

@@ -19,3 +19,5 @@ modules:
- from-file: common-bling.yml - from-file: common-bling.yml
- from-file: common-scripts.yml - from-file: common-scripts.yml
- type: yafti

2
config/recipe-kinoite-nvidia.yml
View File

@@ -19,3 +19,5 @@ modules:
- from-file: common-bling.yml - from-file: common-bling.yml
- from-file: common-scripts.yml - from-file: common-scripts.yml
- type: yafti

2
config/recipe-silverblue-main.yml
View File

@@ -19,3 +19,5 @@ modules:
- from-file: common-bling.yml - from-file: common-bling.yml
- from-file: common-scripts.yml - from-file: common-scripts.yml
- type: yafti

2
config/recipe-silverblue-nvidia.yml
View File

@@ -19,3 +19,5 @@ modules:
- from-file: common-bling.yml - from-file: common-bling.yml
- from-file: common-scripts.yml - from-file: common-scripts.yml
- type: yafti