Hi, I’m in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

I’m running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I’m 100% sure I don’t need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

I’m planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

What are other ways I can make my laptop more secure?

  • chevy9294OP
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    Thank you for the list! Do you maybe know where can I find explanations what does each option do? I know only half of them and I already use some of them.

    • vatson112@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      9 months ago

      I will describe settings that are not so easy to google and a few new thoughts.

      kptr restrict:

      https://wiki.archlinux.org/title/security

      https://lwn.net/Articles/420403/

      Kexec:

      You may google about mechanics, but basically, it is just a mechanism to ‘reexec’ your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.

      But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).

      These are unlikely scenarios. But I prefer to disable this feature since I don’t use it anyway.

      Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.

      Ebpf JIT:

      There I misleaded you.

      There is some new information about JIT and security. See https://youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

      According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)

      Randomize virtual memory address:

      https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR#:~:text=Address space layout randomization (ASLR) is a memory-protection,executables are loaded into memory.

      systemd

      If you use systemd your can use systemd-analyze tool to harden your units settings.

      Also, I remember the tool you can use.

      There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.

      You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.

      This may give you some thoughts.

      • chevy9294OP
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Thank you very much for this detailed explanation! Looks like kptr and kexec are already disabled and enabled randomized virtual memory address in the hardened kernel. I will check for ebpf. Security certs seem interesting, I will defenetly look into them.