# secureblue

After rebasing to secureblue, follow the following steps in order.

## Subscribe to secureblue release notifications

[FAQ](https://github.com/secureblue/secureblue/blob/live/FAQ.md#how-do-i-get-notified-of-secureblue-changes)

## Nvidia
If you are using an nvidia image, run this after installation:

```
rpm-ostree kargs \
    --append-if-missing=rd.driver.blacklist=nouveau \
    --append-if-missing=modprobe.blacklist=nouveau \
    --append-if-missing=nvidia-drm.modeset=1 \
    --append-if-missing=nvidia-drm.fbdev=1
```

You may also need this (solves flickering and luks issues on some nvidia hardware):
```
rpm-ostree kargs \
    --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init
```

### Nvidia optimus laptop
If you are using an nvidia image on an optimus laptop, run this after installation:

```
ujust configure-nvidia-optimus
```

## Enroll secureboot key

```
ujust enroll-secure-boot-key
```

## Set kargs

Documentation is available [here](https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/60-custom.just.readme.md) for the kargs set by the commands below.

### Set hardened kargs

```
ujust set-kargs-hardening
```

### Set additional unstable hardened kargs

*Can cause issues on some hardware, but stable on other hardware*

```
ujust set-kargs-hardening-unstable
```

## Setup USBGuard

*This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard*

```
ujust setup-usbguard
```

## GRUB
### Set a password

Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters.

To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries.

```
sudo grub2-setpassword
```

GRUB will prompt for a username and password. The default username is root.

If you wish to password-protect booting existing entries, you can add the `grub_users root` entry in the specific configuration file located in the `/boot/loader/entries` directory.

## Create a separate wheel account for admin purposes

Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like:

- https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD
- https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password

> [!CAUTION]
> If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the [traditional GRUB-based method](https://linuxconfig.org/recover-reset-forgotten-linux-root-password) of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.

1. ```sudo adduser admin```
2. ```sudo usermod -aG wheel admin```
3. ```sudo passwd admin```
4. ```reboot```

> [!NOTE]
> We log in as admin to do the final step of removing the user account's wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.

5. Log in as `admin`
6. ```gpasswd -d {your username here} wheel```
7. ```reboot```

When using a non-wheel user, you can add the user to other groups if you want. For example:

- use libvirt: `libvirt`
- use `adb` and `fastboot`: `plugdev`
- use systemwide flatpaks: `flatpak`


## Bash environment lockdown

To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), run:

```
ujust toggle-bash-environment-lockdown
```

## LUKS TPM2 Unlock

To enable TPM2 LUKS unlocking (do not use this if you have an AMD CPU), run:

`ujust setup-luks-tpm-unlock` and type `Y` when asked if you want to set a PIN.

## Validation

To validate your secureblue setup, run:

```
ujust audit-secureblue
```

## Optional: `hardened-chromium` Flags
The included hardened-chromium browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening, and convenience. (That can cause functionality issues in *some* cases)
You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install).

## Read the FAQ

Lots of important stuff is covered in the [FAQ](https://github.com/secureblue/secureblue/blob/live/FAQ.md). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc.