scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 19:07:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c8e1630d95b827fdf1eb14d31d1f4bf4bd619854
secureblue/POSTINSTALL-README.md
fine2006 c8e1630d95 fix: minor spelling mistake (#396)
2024-08-25 23:20:40 -07:00

4.1 KiB
Raw Blame History

secureblue

After rebasing to secureblue, follow the following steps in order.

Subscribe to secureblue release notifications

FAQ

Nvidia

If you are using an nvidia image, run this after installation:

rpm-ostree kargs \
    --append-if-missing=rd.driver.blacklist=nouveau \
    --append-if-missing=modprobe.blacklist=nouveau \
    --append-if-missing=nvidia-drm.modeset=1

Nvidia optimus laptop

If you are using an nvidia image on an optimus laptop, run this after installation:

ujust configure-nvidia-optimus

Enroll secureboot key

ujust enroll-secure-boot-key

Set kargs

Documentation is available here for the kargs set by the commands below.

Set hardened kargs

ujust set-kargs-hardening

Set unstable hardened kargs

Can cause issues on some hardware, but stable on other hardware

ujust set-kargs-hardening-unstable

Install Homebrew

ujust brew

Setup USBGuard

This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard

ujust setup-usbguard

GRUB

Set a password

Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters.

To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries.

sudo grub2-setpassword

GRUB will prompt for a username and password. The default username is root.

If you wish to password-protect booting existing entries, you can add the grub_users root entry in the specific configuration file located in the /boot/loader/entries directory.

Create a separate wheel account for admin purposes

Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like:

Caution

If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.

  1. adduser admin
  2. usermod -aG wheel admin
  3. passwd admin
  4. reboot

Note

We log in as admin to do the final step of removing the user account's wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.

  1. Log in as admin
  2. gpasswd -d {your username here} wheel
  3. reboot

When using a non-wheel user, you can add the user to other groups if you want. For example:

  • use libvirt: libvirt
  • use adb and fastboot: plugdev
  • use systemwide flatpaks: flatpak

Bash environment lockdown

To mitigate LD_PRELOAD attacks, run:

ujust toggle-bash-environment-lockdown

LUKS TPM2 Unlock

To enable TPM2 LUKS unlocking (do not use this if you have an AMD CPU), run:

ujust setup-luks-tpm-unlock and type Y when asked if you want to set a PIN.

Chromium extension

  1. Go to uBlock Origin Lite (Why Lite?)
  2. Install it
  3. In the extension's settings, make sure all of the lists under Default and Miscellaneous are checked (and at your preference, lists in the Annoyances section or country-specific lists)